"Overall, companies will need to do more detailed work to understand the data they have to determine specifically what type of data is collected, used, and shared — and for what purposes."Jodi Daniels, Red Clover Advisors
Last fall, we shared our Definitive Guide to the CCPA. Barely a year later, we’re back to explore the latest privacy act under consideration: The California Privacy Rights Act of 2020, or CPRA, which will appear on California’s November ballot.
We’ll outline what the CPRA is, how it differs from the CCPA, and how its passage may impact publishers’ monetization efforts.
Please note: This article for informational purposes only. Please speak to a lawyer before determining how the CPRA may affect your business.
What is the CPRA?
The CPRA, or California Privacy Rights Act of 2020, serves as an addendum to the CCPA (California Consumer Privacy Act), which was passed in 2018 and went into effect this past January.
The CPRA expands California users’ access, notice, and deletion rights to align more closely with the General Data Protection Regulation (GDPR) for EU residents.
The CPRA was created by the Californians for Consumer Privacy, the same organization that drafted the CCPA. The group hopes to amend the CCPA by addressing its shortfalls and by expanding on consumers’ rights. The act was submitted to California’s Attorney General last fall with more than 900K signatures — far beyond the 600K signatures required for statewide ballot initiatives.
If passed, the CPRA will be effective January 1, 2023 and enforced July 1, 2023 by a new, dedicated agency — the California Privacy Protection Agency — which could allow greater scrutiny than California’s Attorney General.
Like the CCPA, the CPRA will be an opt-out law with a one-year lookback window — in this case, for any personal data collected on California consumers starting January 1, 2022.
The CPRA also applies to large, for-profit companies doing business in California — but narrows its scope to exempt businesses that buy, sell, or share personal data on fewer than 100K users:
- Those with $25M in annual gross revenue, and/or
- Those that generate more than 50% of annual revenue from data sales, and/or
- Those that “alone or in combination, annually buys or sells, or shares the personal data on 100K+ California residents or households” (vs. 50K+ under the CCPA)
- Businesses that voluntarily comply with the law and certify themselves with the California Privacy Protection Agency
Businesses that annually buy, sell, or share personal data on more than 50K — but fewer than 100K — California users or households must still comply with the CCPA.
While the CPRA raises the threshold of applicable businesses, it tightens restrictions for Google, Facebook, and other tech giants by clarifying the CCPA’s ambiguous terms and expanding users’ rights.
CPRA vs. CCPA: How do they differ?
The CPRA has been described as “the CCPA on steroids” and hopes to build on the current state law, which legislators could weaken over time. It offers a narrower scope and more stringent guidelines than the CCPA — as well as clarity on ambiguous terms.
Whereas the CCPA began as a ballot initiative but became a law (that can be amended through legislation), the CPRA remains a ballot initiative that will be put to the vote in November. If passed, the CPRA can be amended only through another statewide vote — putting control in the hands of California users rather than lawmakers.
|Scope||CA residents||CA residents|
|Consent||Opt-out; opt-in for minors under age 13||Opt-out; opt-in for minors under age 16|
|Personal information||Includes pseudonymous and sensitive data for individuals and households||Creates additional subcategory of ‘Sensitive Personal Information’ (SPI), including login credentials and passwords, government ID numbers (Social Security, state ID, passport) personal communications, race, ethnicity, religion, union membership, sexual orientation, biometric data (from health trackers), and precise geolocation data|
|Rights||Includes access and deletion without penalty||Includes access, deletion, and correction without penalty and “through easily accessible self-serve tools” (Sec. 3A)|
|Opt-out requirements||“Do Not Sell My Personal Information” button for California residents||“Do Not Sell or Share My Personal Information” button for California residents |
“Limit the Use of My Sensitive Personal Information" link for companies that collect sensitive data
|Enforcement||California Attorney General||California Privacy Protection Agency|
|Penalties||Individuals can sue for $100 to $750 per breach or actual damages, whichever is higher |
$2,500 for unintentional breaches; up to $7,500 for intentional breaches
|Expands CCPA penalties to $7,500 for data breaches of California users under age 16|
By adding “sharing” to the opt-out requirement, the CPRA clears up confusion on the CCPA’s “selling” of personal information — and will allow users to opt-out of any third-party cookie collection on websites and apps.
Key definitions and provisions for publishers
The CPRA includes several new terms and provisions that can impact publishers’ abilities to monetize and manage user data:
Contractors and third parties
The CPRA expands on the CCPA’s definition and regulation of service providers to include contractors and third parties with contractual agreements — and to align more closely with the GDPR’s regulation of “data processors.”
Under the CPRA (Section 14):
- “Service provider” means a person that processes personal information on behalf of a business and which receives from or on behalf of the business a consumer’s personal information for a business purpose pursuant to a written contract…”
- “Contractor” means a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract…”
- “Third party” applies to all others who have access to a user’s personal information
Publishers that sell or share the personal information of California users will be held responsible for how that data is used and managed by their partners and ad tech vendors.
Data retention limitations
Under the CPRA, companies will be required to state the length of time users’ personal data will be retained, the criteria used to determine it — and, according to Section 4, assess that data more frequently to protect themselves against data breaches by maintaining data “longer than is reasonably necessary for that disclosed purpose.”
“Sale” and “cross-context behavioral advertising”
Section 14 of the CPRA clears up the confusion of the term “sale” under the CCPA by including “sharing” of California users’ personal data:
"Share," "shared," or "sharing" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer's personal Information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.
"Cross-context behavioral advertising" means the targeting of advertising to a consumer based on the consumer's personal Information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.
Google, Facebook, and other walled gardens that have claimed they’re not “data sellers” under the CCPA could face new limitations to the user data required for their targeted advertising tactics under the CPRA.
As with the CCPA, the CPRA does not require an opt-out for cookies required for site/app performance, such as remembering shopping cart items, shipping information, or website analytics. The opt-out prevents data selling or sharing for commercial benefit — activities that monetize personal information for company profit.
Sensitive personal information
The CPRA allows users to opt-out of their most personal data, such as their login credentials and passwords, Social Security and passport numbers, genetic data, sexual orientation, religious beliefs, and more.
Companies that process “sensitive personal information” will have to fulfill additional requirements for data management based on users’ opt-out preferences, including annual security audits. Audit guidelines will be determined by the new enforcement agency.
According to Ad.Product member and Red Clover Advisors founder and CEO Jodi Daniels, “The CPRA moves us closer upstream to GDPR. It’s not a direct comparison, but it does allow someone the opportunity to limit the use of sensitive information.”
Given the strong support for this ballot initiative — which will be determined with a simple ‘yes’ or ‘no’ vote on Election Day — we anticipate the CPRA will become law.
If it does, we’ll update this guide to include how to ensure compliance with the 2022 look-back period and 2023 effective date.
In the meantime, here are some recommended reads that offer additional CPRA context and clarity :
- Official CPRA text
- What is the California Privacy Rights Act (CPRA)? - Red Clover Advisors
- CPRA's top-10 impactful provisions - IAPP
- CPRA promises short-term consumer benefits, long-term uncertainty - IAPP
- The California Privacy Rights Act (CPRA) Will Change the Privacy Landscape Again If Approved in November - KO Firm
Share your CPRA questions and update requests
If the CPRA passes in November, we’ll be updating this guide to help you prepare. What questions can we answer and concerns can we address?
Join the discussion in our LinkedIn group and let us know how we can help — and what CPRA insights you’d like to share.
Join the Ad.Product community
Sign up for our monthly newsletter and to be notified of member-exclusive events and opportunities.
Ad.Product is the first community for product managers, engineers, and others to discover and discuss how to build innovative, user-first ad platforms.