CPRA Passes in California, Here’s What Changed

The Consumer Privacy Rights Act (CPRA), which was on the ballot as Proposition 24, passed in California earlier this month with a 56.1% vote.

CPRA is an amendment to the California Consumer Privacy Act (CCPA), the 2018 online privacy regulation protecting the data rights of Californians. Given that CPRA builds on existing regulation, many in the ad tech community are referring to it as CCPA 2.0.

CPRA will become enforceable on July 1, 2023, but once in effect, the regulator can challenge businesses failing compliance from January 2022 onwards. That still gives businesses over one year of lead time, starting now, to update their consent management processes.

We are thrilled to announce the passage of #Prop24, the California Privacy Rights Act, with a decisive majority of Californians supporting the measure to strengthen consumer privacy rights. #California once again makes history and leads the nation!

— Californians for Consumer Privacy (@caprivacyorg) November 4, 2020

What’s new in CPRA?

The amendment further strengthens CCPA by making it much harder for regulators to weaken established privacy laws in the future. In addition, it does the following:

• Protect additional categories of sensitive personal information that weren’t previously covered by CCPA, by allowing consumers to stop businesses from using or sharing, information about their health, finances, race, ethnicity, and geolocation
• Deterring businesses from committing violations involving the collection, use, and processing of children’s information by requiring mandatory opt-in consent and tripling of the fines associated with related violations
• Putting new limits on companies’ collection and use of personal information. This includes limits on data retention, and calls for annual audits and risk assessments for “high-risk” processing
• Set up a new enforcement arm—the California Privacy Protection Agency; funded with an annual budget of $10 million, the new arm will be solely responsible for defending consumer rights and holding companies accountable, including the levy of files.

For a more comprehensive log of changes, the Californians for Consumer Privacy website has a list of frequently asked questions about the amendment.

Changes to compliance thresholds

To fall within the scope of CPRA, a business must collect, sell, or share personal information of California residents, and it must also meet one of the additional three criteria:

• Have $25 million or more in annual revenue; or
• Possess the personal data of more than 100,000 Californian “consumers or households” (devices no longer count)
• Earn more than half of its annual revenue selling consumers’ personal data.

The second bullet point is a major update with the new amendment, the threshold has been raised from 50,000 “consumers, households, or devices” to 100,000 “consumers or households”. This might put a significant number of businesses outside the purview of CPRA. However, CCPA with its lower threshold will still continue to apply till 2023.

Now for the other big change, the inclusion of “sharing” in the definition.

Sell vs. share

Some ad tech companies have so far gotten around CCPA compliance by claiming that they only share data instead of selling it. CPRA extends that definition to “sell or share” data.

The term sharing is also qualified as, “cross-context behavioral advertising… whether or not for monetary or other valuable consideration, including transactions between a business and third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”

This clause seems expressly written to close the loophole that previously allowed advertisers, publishers, and other ad tech intermediaries to keep business operations going under CCPA without having to make any material changes to their data processing methods.

So, what should publishers do?

The good news is that publishers who have spent time and effort to ensure compliance with CCPA won’t have to rebuild everything from scratch; this is because the changes mandated by the amendment are about nuance and making small, incremental changes. The major difference of default opt-out (CCPA) vs. default opt-in (GDPR) consent continues to hold with the update. 

In all likelihood, most publishers already using a credible third-party consent management platform won’t have to do anything except wait for their vendor to release an update that ensures compliance.

For publishers who aren’t yet compliant with CCPA, this is the time to start working on it. The new enforcement arm will allow the state to go after violating companies with more speed and additional legal resources. And in the lack of a federal privacy regulation, CCPA 2.0 is expected to become the blueprint and de facto standard for stateside data privacy regulations.