After the enforcement of CCPA, the state of California is bringing another privacy law for its citizens. The new law is the California Privacy Rights Act (CPRA). Some industry experts are also calling it CCPA 2.0. So, let’s deep dive into the CRPA guide for publishers.
The CPRA is qualified as a ballot initiative for November 2020 general elections. If it gets passed, then there will be a significant expansion in the rights of California citizens. The CPRA will amend the CCPA. So, it’ll bring more clarity to CCPA; but the CCPA will also become more stringent. Let’s have a look at some major changes that’ll come with CPRA.
Table of Contents
- CPRA Timeline
- California Privacy Protection Agency (CPPA)
- New Introductions:
- Modifications to CCPA
- What’s Next?
The ballot will take place in November 2020. If passed, then the provisions of the law will apply to all the data that’s collected after January 1, 2022. It’ll go into effect after January 1, 2023.
California Privacy Protection Agency (CPPA)
CPPA will be the new agency with the sole purpose of implementing and enforcing CCPA and CPRA. It’ll be the first of its kind agency in the USA. The agency will have five board members appointed by the Governor, the California Attorney General, the California Senate Rules Committee, and the Speaker of the California State Assembly. The new agency will have many rights and responsibilities such as conducting its hearings, subpoena witnesses, compel their testimony, take evidence, imposing fines, etc. The fines can go up to $7500 per violation.
The agency will also spread awareness about privacy risks. Beginning 2021-2022 the agency will receive a minimum of $10 million in annual funding. In this way, the agency will be well equipped to enforce the privacy regulations for the state’s online as well as offline citizens.
Sensitive Personal Information
After CPRA, the personal information category in CCPA will have a new subcategory called ‘Sensitive Personal Information.’ This subcategory will include personal information like government identification numbers (like social security, driver’s license, state identification card, passport number), log-in details, credit card number, geolocation, health data, etc.
The user will have more control over such information. For instance, the user will be able to limit the data collection only to the extent to which it is required to provide the intended service. The consent has to be taken again if the data has to be used for additional purposes.
Generally, online ads do not use such data. So, if you are a publisher who is generating revenue only through ads, then you don’t have to worry about this clause. But, if you are using such data then your CMP should be able to manage SPI related requests just like it does for personal data so far.
Right to Correct Inaccurate Personal Information
The CPRA will provide the user the right to correct any incorrect personal information stored with a publisher or any other ad tech vendor. The CCPA did not have such a provision. The CCPA only allowed the consumers to request the deletion of their PI.
The businesses that are collecting the PI should disclose the right to request corrections to the users. The collectors of the data, whether publishers or their ad tech partners, are required to make the corrections to the PI upon receiving a request. The users should get a minimum of two or more ways to send correction requests. Online-exclusive businesses are required to receive the request through their websites and emails.
Children’s Data under CPRA
When a publisher or any other ad tech vendor knows that the user is under the age of 16, then mishandling the user’s data can attract a $7500 fine for every violation. If you are unaware that the user is underage, then the fine can be $2500. The user should opt-in before you can use his/her data. If an underage user doesn’t provide the consent to sell or share his/her data, then you cannot ask again for 12 months. An opt-out mechanism to specify that the user is less than 13 (by parents) or less than 16 years old can also be set up in the future.
So you have to ask the user’s age and the user has to opt-in before you use the data.
Publishers and ad tech vendors have to conduct annual audits and regular risk assessments if their data processing presents significant risks to consumer privacy or security. They have to submit their risk assessments to the CPPA (California Privacy Protection Agency). The assessment will weigh the risks and benefits resulting from the processing. If the risks to the consumer’s privacy outweigh the benefits, then such data processing can be restricted or prohibited.
Automated Decision Making
This new addition by CPRA is very similar to the existing GDPR laws regarding automated decision making. The users will have access and opt-out rights for the use of automated decision-making technology, including ‘profiling.’
Profiling refers to the analysis or prediction of a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, movements, etc.
You have to provide meaningful information about what kind of logic is being used in their automated decision making. They will also have to inform the user about the kind of outcome that’ll be produced by the automated process.
Publishers are generally not involved in profiling. The ad tech vendors who serve ads are the ones who do it. But still, if you are using automated decision making for profiling, then you can follow what GDPR compliant parties are the following:
- Find out what kind of automated decision-making processes are running on your site.
- Understand the processes and document them. Include the logic and the outcome of the processes in your documentation.
- Explain the complete information in your privacy notice.
Please note that better and readily available solutions will come up once CPRA is confirmed.
Data Retention under CPRA
You have to inform the user about the duration for which you’ll retain the data. The criteria used to determine the period has to be communicated as well. The CPRA’s goal is to stop businesses from retaining the data for longer than necessary periods.
Modifications to CCPA
Opt-out of cross-context behavioural advertising
The CCPA brought the “Do not sell my personal information” rule, but there was a lot of ambiguity around the definition of ‘sell.’ Due to the ambiguity, many parties involved in cross-context behavioural advertising, like Google and Facebook, were saving themselves from coming under the purview of this rule.
So now, the CPRA has brought the concept of “Sharing” into the picture. First, it has defined the term “sharing”. Under the definition, the sharing of data for cross-context behavioural advertising will be considered as selling of data. So now, the user should have the facility to opt-out even if the data is being shared for cross-context behavioural advertisement.
The CPRA has also defined what cross-context behavioural advertising is:
“Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts.
It simply means observing the user’s behaviour across the web and then targeting the ads to the user based on the observed behaviour.
Private Right of Action and Statutory Damages
The CCPA already gave the private right of action to the California residents. As per the law, the users could sue the companies for breaches of non-encrypted, non-redacted personal information. The list of such PIs was already long which included name, social security number, driver’s license number, California identification card number, tax identification number, passport number, military identification number, etc. Now, this list will also include an “email address in combination with a password or security question and answer that would permit access to the account.”
Any failure to protect such PI can attract:
- a) Damage payments between $100 – $750 per consumer per incident; or actual damages, whichever is greater.
- b) Or injunctive or declaratory relief.
- c) Or any other relief the court deems proper.
Don’t take CPRA as a brand new privacy law; it is more like an amendment to the existing CCPA. Currently, it is not approved, so it’s best to wait and watch until the elections. If approved, you have to identify the data you are collecting so far. Understand the category of each data point. Do not collect any data point that isn’t necessary.