California Privacy Rights Act (CPRA) will come into effect from January 2023. As a more strict privacy law, it aims to expand and redefine the existing California Consumer Privacy Act (CCPA). CPRA emphasizes the protection of consumer data and its processing by businesses, with a particular focus on sensitive consumer information.
The digital advertising ecosystem relies heavily on the collection and consumption of data, especially when it comes to targeted advertising. Thus, publishers and advertisers need to understand how the new privacy law will impact their business and what they can do to stay compliant with it.
*Businesses must make the data from January 2022 available to the related consumers.
Table of Contents
CCPA & CPRA
Like its European counterpart – GDPR, CCPA was introduced to protect consumers from the mismanagement and misuse of their personal data. It gave online users more control over what kind of data their service providers could collect, process, share, or sell. Some of the key rights advocated by CCPA include:
- Right to know what kind of personal information is being collected by the service provider
- Right to know how the service provider is processing or selling their personal information
- Right to opt-out of the sale of personal information
- Right to access their information
- Right to have their personal information deleted within certain limitations
Under CCPA, everything from the name, address, or biometric data to data related to cookies and browsing history, device identifiers, geolocation data, or other information related to how the user interacts with a website, ad, or app, etc., are considered as ‘personal information’. Find out more about CCPA here.
CPRA, also known as Proposition 24, was passed on November 3, 2020. It will be effective from January 1, 2023, and will be enforced from July 1, 2023, by the California Privacy Protection Agency. CPRA, too, is an opt-out law and has a look-back period of one year. This means businesses must make the data collected from the consumers available to them when and if asked.
CPRA is an amendment and expansion of the provisions introduced by the CCPA and includes stringent penalties. The new amends and definitions present in the CPRA aim to resolve any ambiguity among businesses regarding the jurisdictional authority of the CPRA and the CCPA.
Our article highlights critical information, such as penalties, the scope of using consumer data, and other statutory requirements for publishers that can help them navigate the new law.
What’s New for Publishers in CPRA?
Redefined Criteria for Qualifying as a Business
The CPRA has redefined and added to the criteria stipulated in the CCPA for an organization to qualify as a business. According to CPRA, any legal entity operating for profit, involved in the collection of consumer personal information, and satisfying any of the following conditions can be regarded as a business under the purview of CPRA:
- Organizations with more than $25 million in annual gross revenue
and/or
- Organizations that use personal data of 100,000 (previously 50,00 in CCPA) or more consumers, either individually or in collaboration with another firm.
and/or
- Organizations that derive 50% or more of their annual revenue through selling or sharing consumers’ data.
Takeaway:
The CPRA has increased the threshold for using consumer data from 50,000 in CCPA to 100,000. Additionally, the CPRA now includes the revenue generated from sharing of consumer data as a part of annual gross revenue. Therefore, the number of companies that qualify under CPRA and CCPA will vary.
It is possible that publishers who meet the requirements for CCPA may not qualify as a business under CPRA. However, due to the inclusion of the ‘sharing’ of consumer data under the new law, many publishers who use consumer data for advertising purposes will now be included.
Increased Protection of Sensitive Personal Information
Like the EU’s GDPR, the CPRA has also introduced a new category of highly secure consumer data called Sensitive Personal Information (SPI). As per CPRA, sensitive personal information can include data related to:
- Government identification numbers, for example, social security number, driver’s license, passport number, etc.
- Financial information, for example, credit card details, account log-in details, passwords, etc.
- Information related to precise geolocation
- Information about racial identity and ethnic, religious, or philosophical beliefs
- Private communications, such as email or text messages
- Genetic or biometric data or consumers
- Health information
- Information related to sexual orientation
CPRA further limits data processing by prohibiting businesses from combining data collected from different sources. As per CPRA, service providers cannot combine first-party, second-party, or third-party data.
The CPRA also highlights additional operational and technical limitations to protect the use and disclosure of consumers’ sensitive personal information. The user will have more control over such information.
For instance, the user will be able to limit the data collection only to the extent to which it is required to provide the intended service. The consent must be retaken if the data has to be used for additional purposes.
Takeaway:
As per Section 1798.121 of CPRA, publishers that use consumer’ SPI must include a visible link on their website titled ‘Limit the Use of My Sensitive Personal Information’ enabling consumers to restrict the use of their SPI.
Further clarifying the rules related to geolocation, CPRA enables consumers to limit the tracking of their geolocation for purposes including advertising- within a 250-acre radius.
The limitation on the combination of data will further impact publishers when it comes to audience segmentation and targeted advertising. So, it is the best time for publishers to focus on first-party data and how they can use it while staying compliant with the rules.
The CPRA also highlights several other requirements to be fulfilled by publishers as per Section 1798.135, related to collecting, sharing, storing, and disclosing consumers’ sensitive personal information to protect consumers’ data privacy.
Introduction of New Consumer Privacy Rights
In addition to clarifying and expanding the scope of consumer privacy rights present in the CCPA, the CPRA has also introduced four new consumer privacy rights:
- Right to Limit use and Disclosure of SPI: Consumers have the right to limit the use and disclosure of their sensitive personal information.
- Right to Correct Information: Consumers can request a business to correct any inaccuracies about their personal information.
- Right to Access Information About Automated Decision-Making: Consumers have the right to request information about the logic involved in automated decision-making processes used by a business, along with a description of the likely outcome concerning the consumer.
- Right to Opt-out of Automated Decision-Making Technology: Consumers have the right to opt-out of being subjected to automated decision-making processes, such as profiling.
Adding these new rights to the CPRA will allow consumers to be aware of what personal information is being collected by a business and how it is being used. Additionally, consumers also have the right to opt-out or limit the use of their personal data if they feel to do so.
Takeaway:
As per CPRA, publishers must have at least two ways in which consumers can submit requests related to accessing, changing, or deleting their personal data. Some of the ways publishers can ensure this is through request forms, dedicated support emails, or phone numbers.
With the introduction of new consumer privacy rights, publishers need to update their privacy policies and include the new consumer’s rights to stay compliant. A few key aspects publishers should keep in mind while formulating their privacy policies are:
- Disclosure regarding the collection and use of Sensitive Personal Information
- Clear description of how consumers can access, change, move or delete their personal data
- Consent notices for children, under the age of 16 and parents of children under the age of 13
- Instructions on how users can opt-out of selling or sharing their personal information
Addition of Principles from GDPR
GDPR has served as a template for several new privacy laws worldwide, including CPRA. CPRA adopts certain concepts from the GDPR, such as storage limitations, data minimization, and purpose limitations, which previously were missing in the CCPA.
- Purpose limitations ensure that the consumer information collected by publishers is only used for the purpose as disclosed by the publisher while getting the user’s consent.
- Data minimization mandates publishers to only collect consumer personal data, which is reasonably necessary for the purpose it is collected.
- Storage limitations will restrict publishers and other businesses from storing consumer data for durations longer than required for the purposes disclosed by the publisher.
Children’s Data Under CPRA
CPRA highlights special provisions to treat the personal information of children and minors. The law prohibits businesses from selling or sharing consumers’ personal information under the age of 16 unless the consumer has authorized the sale or sharing. If the consumer is under the age of 13, then the consumer’s parent or guardian should provide their consent for selling and sharing their child’s data. If the consumers (under the age of 13) or the consumer’s parent decline to provide their consent, publishers must wait at least 12 months before requesting consent again.
Takeaway:
Violations regarding consumer data of children and minors may lead to penalties of up to $2500 for each violation. If a publisher violates children’s data privacy intentionally, the CPRA imposes a penalty of $7500 for each violation.
Therefore, publishers whose target audience includes children under the age of 16, such as publishers from the education industry, should build a consent management framework to collect and keep track of the consent of their users.
Modifications to CCPA by CPRA
Opt-out of Cross Context Behavioral Advertising
CCPA has a provision that allows consumers to limit publishers from selling their data. However, due to the ambiguity in the word ‘sell,’ many publishers involved in cross-context behavioral advertising were exempted from coming under the purview of this rule.
Behavioral advertising doesn’t strictly require the ‘selling’ of consumer data, so it left most consumers and digital advertising players musing over the concept.
The CPRA has clarified this confusion by including the concept of ‘sharing’ of consumer data within the scope of the rule. As per CPRA, consumers can opt-out of cross-context behavioral advertising, which will restrict businesses from selling or sharing their personal data for advertising purposes.
Additionally, the CPRA also defines what cross-context behavioral advertising is:
“Cross-context behavioral advertising” means targeted advertising based on the user’s personal information obtained from their activity across distinctly branded websites, businesses, applications, or services other than the business, application, distinctly branded website, or service with which the consumer intentionally interacts.
Takeaway:
Publishers must have a clear and conspicuous link on their website, allowing consumers to opt-out of selling and sharing their personal data under CPRA.
Though, publishers were already under obligation due to CCPA for having a ‘Do not sell my personal information’ option on their website. But as per the new provisions under CPRA, publishers who share consumer data with third parties for behavioral advertising purposes should also have an ‘opt-out’ notice on their homepage, enabling consumers to restrict the sharing of their personal data.
Contractual Requirements
The CPRA requires businesses to have appropriate contracts in place with their third-party service providers and contractors to limit the retention, use, and disclosure of personal information for any purposes other than the services specified in the contract. Such contracts will enable businesses to take control of the consumer data they share with third parties by monitoring its compliance with their contractual provisions. The businesses may conduct manual reviews, automated assessments, and audits at least once a year to ensure that the consumer data isn’t sold or disclosed by their third-party service providers outside the scope of their agreement.
Takeaway:
CPRA requires publishers to have contractual agreements with third parties, service providers, and contractors to ensure privacy while sharing consumer data. Publishers who share consumer data with third-party service providers or ad tech vendors should review their contracts in compliance with CPRA.
The contracts should highlight what consumer data the publishers share and how it is transferred, stored, and utilized by the third party. This will protect publishers from penalties in case of breach or violation by a third party outside of the provisions under the contract.
Security Audit
Although CCPA requires publishers to take appropriate measures to ensure consumer data privacy, the CPRA takes it further by imposing stringent auditing requirements. As per the new provisions in CPRA, publishers who collect sensitive personal information (SPI) about consumers must perform annual cyber security audits and submit a risk assessment report to the CPPA. The assessment should weigh the risks and benefits resulting from consumer data processing. If the risks to consumer privacy outweigh the benefits, then such data processing can be restricted or prohibited by the CPPA under the provisions of the CCPA and CPRA.
Takeaway:
Publishers should conduct a data inventory audit to identify whether any consumer data collected falls under the sensitive personal information category. Publishers should also keep track of third-party service providers who have access to consumer data and how it is stored and shared. Since CPRA has strict policies to avoid breaches of sensitive personal information, publishers should also perform annual audits to track any risks to their data collections and storage frameworks.
Right of Private Action and Penalties for Violations
The CCPA has provided the right of private action to consumers against a business for breaches related to consumers’ personal information and sensitive personal information. This means users can sue companies for breaches related to their personal information.
The CPRA has altered the scope of this provision, by allowing consumers the right to private action, only in case of breach of non-encrypted and non-redacted data. Additionally, the CPRA includes breaches related to ‘email address in combination with password or security question and answers that can grant access to the account’ subject to a right of private action.
Consumers can seek compensation from the court related to the breach in the following ways:
- Damage payments between $100 – $750 per consumer per incident; or actual damages, whichever is greater
- Or injunctive or declaratory relief
- Or any other relief the court deems proper
Penalties:
In case of a publisher is in non-compliance and is found in violation of CPRA, the law provides for civil penalties of up to $2500 per violation, and a penalty of $7500 per violation, if the violation is deemed intentional by the court. Additionally, CPRA has a new penalty of up to $7500 for violations (even if unintentional) of the consumer privacy rights of minors.
The CPRA also states that third-party service providers and contractors will be liable for their violations. However, since publishers are still responsible for protecting the consumer data they have collected, any violations from third-party can attract penalties for the publishers if they are not protected by a contractual agreement with their third-party service provider.
The CPRA has also eliminated the provision previously in CCPA, wherein a publisher or business may avoid penalties if they can address the violations and correct them within 30 days of being notified.
What the Future Beholds
CPRA is currently among the most stringent consumer privacy laws in the United States. With several other state regulations ready to come into effect in 2023, publishers should prepare themselves for the upcoming changes. With new privacy laws in Colorado, Connecticut, Utah, and Virginia shaping up, publishers must stick to certain best practices to stay compliant with privacy laws.
As attention to sharing and retaining consumer data seems to be the primary focus under most upcoming privacy policies, publishers should consider using consent and data management platforms to keep track of their data processing activities.
The CPRA has significantly improved upon the consumer data privacy policies of its predecessor, the CCPA. Updating the privacy frameworks should be a priority for publishers to avoid violations, as per CPRA. Additionally, publishers should ensure their third-party service providers and ad tech partners are CPRA compliant and create contractual agreements to protect themselves in case of a violation.