California voters on Tuesday night voted to pass Proposition 24, otherwise known as the California Privacy Rights and Enforcement Act, a move that will expand the state’s current online consumer privacy protections and remove its biggest area of ambiguity for publishers.
By the latest count released by the California Secretary of State’s office at the time of writing, 56% of voters supported the measure and 44% opposed it.
The CPRA will replace the current California Consumer Privacy Act, which only took effect this year. The CPRA is set to take effect on January 1, 2023, but will apply to data collected from January 1, 2022.
“The ground is constantly shifting below these companies who are trying to comply,” said Pollyanna Sanderson, policy counsel at the Washington D.C.-based think tank the Future of Privacy Forum. “Now it’s shifted further.”
Here’s what publishers need to know about the forthcoming CPRA and how it applies to their businesses.
First it was “Do Not Sell” — now it’s also “Do Not Share”
A big criticism of the CCPA was its definition of a “sale” of personal information and whether or not that could be applied to digital advertising, where companies generally say they “share” data along the supply chain rather than sell it in the traditional fashion. Some publishers adopted the strict interpretation that they are involved with the sale of data under the law when using personal information in order to serve targeted ads; others said the law wasn’t clear enough to take that approach.
The CPRA removes that ambiguity from the law and more explicitly gives consumers the right to opt out of the “sharing” of their data. The legislation also specifically refers to the sharing of data for what it calls “cross-context behavioral advertising.” Publishers will be required to display “prominently and conspicuously” on their homepages a “Do Not Sell or Share My Personal Information” link.
“Service providers” and “contractors”
The CCPA previously provided a “service provider” designation that companies can adopt in order to process people’s personal information collected by another company without the sharing of that data being considered a sale under the law. Because the CPRA now explicitly calls out “cross-context behavioral advertising,” the service provider is no longer a valid exemption for this purpose for the many ad tech vendors publishers might use. Downstream vendors too must comply with those data subject requests.
“A service provider or contractor shall not combine the personal information of opted-out consumers which the service provider or contractor receives from or on behalf of the business with personal information which the service provider or contractor receives from or on behalf of another person or persons, or collects from its own interaction with consumers,” the CPRA states.
Less ambiguity around “sensitive personal information”
The CPRA also more clearly describes what it defines as “sensitive personal information.” It includes a lot of the data that you might expect —social security numbers, credit card numbers, sexual orientation — but also other information, such as “a consumer’s precise geolocation,” which is often used for advertising.
Under the CPRA, consumers can limit how businesses use their sensitive personal information.
“Perhaps without intent or awareness a lot of advertisers are already building ad targeting models from that kind of data,” said Cillian Kieran, CEO of data privacy company Ethyca. The CPRA “requires advertisers and publishers to have a better handle on the source of information they are using” from downstream providers, he added.
The creation of a new enforcement agency
The CPRA will create an agency called the California Privacy Protection Agency dedicated to enforcing the new privacy law. The agency has the power to fine businesses $2,500 for each violation of the CPRA or $7,500 for what it deems are “intentional violations” or those that involve minors. A “business” under the CPRA is a company that has reported gross revenue of $25 million or above in the preceding calendar year and buys, sells, or shares personal information of 100,000 or more consumers or households per year.
“Creating a regulatory body with the teeth and budget and resources to go after businesses that are noncompliant certainly makes this more real,” said Kieran. “It demonstrates the seriousness with which California at state legislator level is taking this.“
The building blocks for a federal privacy law
The CPRA is likely to provide the building blocks for other similar state privacy laws and, ultimately, perhaps a federal privacy law down the line.
“I look forward to ushering in a new era of consumer privacy rights with passage of Prop 24, the California Privacy Rights Act,” said chair of the board of advisors for Californians for Consumer Privacy and former Democratic presidential candidate Andrew Yang in a statement. “It will sweep the country and I’m grateful to Californians for setting a new higher standard for how our data is treated.”
Opt-in versus opt-out
As always, with any sort of privacy intervention, some opponents have said the CPRA still doesn’t go far enough. The major distinction between the CPRA and Europe’s General Privacy Regulation is that the former runs on an opt-out basis, whereas the latter is formed around opt-in consent, said Brian Kane, COO of privacy compliance company Sourcepoint.
“It’s odd they didn’t include a consent component,” when drawing up the CPRA, said Kane. “That would be an area I would see it evolving to at some point.”
Still, even if further CPRA-related ballots did follow this path some industry observers are confident that wouldn’t have too much of an impact on publisher revenues.
“We see the rate at which consumers provide consent [in Europe, under GDPR] tends to be north of 95%,” said Jeremy Arditi, chief commercial officer at ad tech company Teads.
In the meantime, “Opt out requires more effort on the users’ part — it’s a much more proactive approach,” said Arditi. “We strongly expect there to be a minimal impact based on that mechanism.”
Privacy ‘haves’ and ‘have nots’
Opponents have also argued that the law could create a two-tier system among those who can afford to opt out from their data being shared and those who can’t. A news publisher, for example, could give users the option of registering for a subscription rather than having to share their information for targeted advertising purposes.
The Electronic Frontier Foundation wrote in July about its concern that CPRA would lead to a rise of “pay for privacy schemes.”
“Unfortunately, pay-for-privacy schemes pressure all Californians to surrender their privacy rights,” wrote the EFF. “Worse, because of our society’s glaring economic inequalities, these schemes will unjustly lead to a society of privacy ‘haves’ and ‘have-nots.’”