Last fall, we shared our Definitive Guide to the CCPA. Just one year later, we’re back to explore the latest privacy act approved by California voters: The California Privacy Rights Act of 2020, or CPRA, which appeared on California’s statewide ballot.
Please note: This article for informational purposes only. Please speak to a lawyer before determining how the CPRA may affect your business.
The CPRA, or California Privacy Rights Act of 2020, serves as an addendum to the CCPA (California Consumer Privacy Act), which was passed in 2018 and went into effect this past January.
The CPRA expands California users’ access, notice, and deletion rights to align more closely with the General Data Protection Regulation (GDPR) for EU residents.
The CPRA was created by the Californians for Consumer Privacy, the same organization that drafted the CCPA. The group wanted to amend the CCPA by addressing its shortfalls and by expanding on consumers’ rights. The act was submitted to California’s Attorney General last fall with more than 900K signatures — far beyond the 600K signatures required for statewide ballot initiatives.
Like the CCPA, the CPRA is an opt-out law with a one-year lookback window — in this case, for any personal data collected on California consumers starting January 1, 2022.
The CPRA also applies to large, for-profit companies doing business in California — but narrows its scope to exempt businesses that buy, sell, or share personal data on fewer than 100K users:
While the CPRA raises the threshold of applicable businesses, it tightens restrictions for Google, Facebook, and other tech giants by clarifying the CCPA’s ambiguous terms and expanding users’ rights.
The CPRA has been described as “the CCPA on steroids” and builds on the current state law, which legislators could weaken over time. It offers a narrower scope and more stringent guidelines than the CCPA — as well as clarity on ambiguous terms.
Whereas the CCPA began as a ballot initiative but became a law (that can be amended through legislation), the CPRA remained a ballot initiative for voters to decide on Election Day. Now that it has passed, the CPRA can be amended only through another statewide vote — putting control in the hands of California users rather than lawmakers.
|Scope||CA residents||CA residents|
|Consent||Opt-out; opt-in for minors under age 13||Opt-out; opt-in for minors under age 16|
|Personal information||Includes pseudonymous and sensitive data for individuals and households||Creates additional subcategory of ‘Sensitive Personal Information’ (SPI), including login credentials and passwords, government ID numbers (Social Security, state ID, passport) personal communications, race, ethnicity, religion, union membership, sexual orientation, biometric data (from health trackers), and precise geolocation data|
|Rights||Includes access and deletion without penalty||Includes access, deletion, __and correction__ without penalty and “through easily accessible self-serve tools” (Sec. 3A)|
|Opt-out requirements||“Do Not Sell My Personal Information” link for California residents||“Do Not Sell ___or Share___ My Personal Information” link for California residents “Limit the Use of My Sensitive Personal Information" link for companies that collect sensitive data|
|Enforcement||California Attorney General||California Privacy Protection Agency|
|Penalties||Individuals can sue for $100 to $750 per breach or actual damages, whichever is higher $2,500 for unintentional breaches; up to $7,500 for intentional breaches||Expands CCPA penalties to $7,500 for data breaches of California users under age 16|
By adding “sharing” to the opt-out requirement, the CPRA clears up confusion on the CCPA’s “selling” of personal information — and will allow users to opt-out of any third-party cookie collection on websites and apps.
The CPRA includes several new terms and provisions that can impact publishers’ abilities to monetize and manage user data:
The CPRA expands on the CCPA’s definition and regulation of service providers to include contractors and third parties with contractual agreements — and to align more closely with the GDPR’s regulation of “data processors.”
Under the CPRA (Section 14):
Under the CPRA, companies will be required to state the length of time users’ personal data will be retained, the criteria used to determine it — and, according to Section 4, assess that data more frequently to protect themselves against data breaches by maintaining data “longer than is reasonably necessary for that disclosed purpose.”
Section 14 of the CPRA clears up the confusion of the term “sale” under the CCPA by including “sharing” of California users’ personal data:
"Share," "shared," or "sharing" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer's personal Information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.
"Cross-context behavioral advertising" means the targeting of advertising to a consumer based on the consumer's personal Information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts._
Google, Facebook, and other walled gardens that have claimed they’re not “data sellers” under the CCPA could face new limitations to the user data required for their targeted advertising tactics under the CPRA.
As with the CCPA, the CPRA does not require an opt-out for cookies required for site/app performance, such as remembering shopping cart items, shipping information, or website analytics. The opt-out prevents data selling or sharing for commercial benefit — activities that monetize personal information for company profit.
The CPRA allows users to opt-out of their most personal data, such as their login credentials and passwords, Social Security and passport numbers, genetic data, sexual orientation, religious beliefs, and more.
Companies that process “sensitive personal information” will have to fulfill additional requirements for data management based on users’ opt-out preferences, including annual security audits. Audit guidelines will be determined by the new enforcement agency.
According to Red Clover Advisors founder and CEO Jodi Daniels, “The CPRA moves us closer upstream to GDPR. It’s not a direct comparison, but it does allow someone the opportunity to limit the use of sensitive information.”
"Overall, companies will need to do more detailed work to understand the data they have to determine specifically what type of data is collected, used, and shared — and for what purposes."Jodi Daniels, Red Clover Advisors
If any of the following applies to you, you’ll need to comply:
Let’s break this into four steps:
(1) Conduct a data audit
We recommend a detailed audit and risk assessment of the data you have, how it’s used, and with whom you share it (as you’ve likely already done for the CCPA and GDPR). You’ll want to identify what partners you have shared data with, regardless of whether it was for a sale or a business purpose, since January 1, 2022.
For instance, if you’re doing programmatic advertising or data sales, be prepared to provide a list of everyone involved (such as ad servers, exchanges, DMPs, DSPs) to fulfill consumer requests. Group these into categories, noting that any new partner will require you to update your records.
(3) Update your website
Under the CPRA, you’ll need to display a “Do Not Sell or Share My Personal Information” link for California residents:
(4) Make data rights actionable
You’ll want to develop an internal process to delete or correct data upon consumer request or cease data sharing upon opt-out. Most likely this will be manual, such as creating a dedicated email address the user has to contact, which is then directed to the relevant party (a product manager, IT team, ad ops, etc). That person would then enact measures to honor the request, like deleting or correcting the data from/on internal or external databases. In addition, if you do sell PII, you’ll need to exclude that users’ data from future sales, either manually or through automated exclusion lists.
For publishers doing programmatic advertising or sending ad calls to a third-party, it gets a little trickier, as you’ll have to strip PII for that user in future ad requests, including IP, mobile IDs, cookie syncing IDs, etc. There are a couple potential paths here:
It will pay (or in this case, save) to be fully compliant to avoid penalties.
Unintentional violations of the CPRA may result in fines of $2,500. Intentional breaches of the CPRA can result in fines of up to $7,500.
As with the CCPA, individual consumers can also sue for $100 to $750 per breach or actual damages, whichever is higher.
We expect the CPRA's passage will spark new discussions of a federal privacy law. We’ll be sure to follow those discussions and share what may be next for publishers.
As you prepare for the CPRA, here are some recommended reads that offer additional context and clarity:
Chris has worked in ad tech for over fourteen years in a variety of roles - giving him customer support, PM, and marketing perspectives from both the advertiser and publisher sides. He's the VP of Marketing at Kevel.