Your Guide to the California Privacy Rights Act (CPRA) for Businesses and Advertisers

Posted by: kevensteinberg
Category: Areas of Practice, Blog, Business Law
California Privacy Rights Act

In the November 2020 election, California voters passed Proposition 24, or the California Privacy Rights Act (CPRA), less than a year after the California Consumer Privacy Act (CCPA) went into effect. On a basic level, the CPRA strengthens and expands the protections from the CCPA. This new law is designed to strengthen consumer privacy protections online and hold companies accountable for unauthorized data sharing through the newly established agency, the California Privacy Protection Agency. 

As a California business owner or entrepreneur, you’ll need to know how this law will affect your business. How is the CPRA different from the CCPA? Which businesses does it affect? And what legal steps should you take to make sure your business is able to move forward and comply with this new privacy law? 

What Changes Does the CPRA Make? 

The CCPA was passed in 2018 and came into effect in January 2020. This law secured privacy rights for California consumers including the “right to know about the personal information a business collects about them and how it is used and shared,” “the right to delete personal information collected about them (with some exceptions),” “the right to opt-out of the sale of their personal information,” and “the right to non-discrimination for exercising their CCPA rights.” The CCPA also requires businesses to notify customers of their privacy practices. It applied to many businesses and was enforced by the California state attorney general. 

The CPRA makes important expansions to the CCPA and clarifies compliance standards for businesses. Some of these changes include: 

  • Protecting additional consumer rights. The CPRA secures the same consumer privacy rights as the CCPA plus the right to rectification and the right to limit use and disclosure of sensitive personal information. 
  • Changing which businesses the law applies to and including sharing as well as selling information. The CCPA applied to for-profit businesses that collect personal information and have a gross annual revenue over $25 million; buy, receive, or sell personal information of 50,000 or more California residents, households, or devices; or derive 50% of their revenue from selling residents’ personal information. The CPRA changes this to apply to businesses that collect personal information and have a gross annual revenue over $25 million; buy, sell, or share personal information of 100,000 or more California residents, households, or devices; or derive 50% of their annual revenue from selling or sharing residents’ personal information. 
  • Increasing penalties for noncompliance. The CPRA increases the maximum penalty for violations concerning consumers under age 16 to $7,500 per intentional violation. 
  • Expanding covered personal information. Under the CCPA, personal information included information that identifies, relates to, or could reasonably be linked with an individual or their household, including your name, email address, record of products purchased, browsing history, and other inferences. The CPRA expands the covered information to include sensitive personal information, such as social security numbers, driver’s license numbers, biometric information, precise geolocation, and racial and ethnic data. 
  • Creating the California Privacy Protection Agency (CalPPA). While the CCPA was enforced by the state attorney general, the CPRA will be enforced by the new California Protection Agency. 

What Kind of Businesses Does the CPRA Affect? 

If your business meets any one of the following thresholds, it is covered under the CPRA and you will need to take steps to comply with the law. 

  • Your business derives at least 50% of its annual revenue from selling or sharing the personal information of California residents. 
  • The business has a gross annual revenue over $25 million. 
  • The business buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices. 

The addition of “sharing” personal information to the CPRA expands the number of businesses required to comply with these privacy rules, impacting businesses in the ad tech industry especially. However, the increase of the number of residents businesses buy, sell, or share information on increasing from 50,000 to 100,000 means that more small businesses may be exempt from the CPRA. The CPRA also expands covered businesses to include joint ventures or partnerships in which each business in the partnership has at least 40% interest. 

If you are unsure whether your business falls under the scope of the CPRA, the qualified business attorneys at Steinberg Law can help you find out. 

What Kind of Personal Information Is Covered Under the CPRA? 

Like the CCPA, the CPRA requires businesses to allow consumers to opt-out of the collection and sharing of their personal information online and secures additional rights for consumers regarding the use of their personal information by businesses. The basic definition of personal information from the CCPA still applies under the CPRA. Personal information is information that identifies, relates to, describes, or could be reasonably linked to a consumer or household, such as a name, email address, browsing history, and purchasing habits. 

The CPRA adds a subcategory to personal information called sensitive personal information. Sensitive personal information includes government identifiers like social security numbers or driver’s license numbers, financial account and login information, precise geolocation, race, ethnicity, religious beliefs, content of nonpublic communications, genetic data, health information, sexual orientation, and similar information. This change puts additional limits on the types of information businesses can share, sell, or use for targeted advertising or similar purposes. 

When Will the CPRA Go Into Effect? 

The CPRA will become effective beginning January 1, 2023. It will start being enforced six months later on July 1, 2023. Until then, the CCPA will continue in full force. However, the CPRA will apply to personal information collected by businesses beginning January 1, 2022. 

One important provision of the CPRA will go into effect beginning earlier, on January 1, 2021. On that date, the California Privacy Protection Agency will be established to begin enforcing California’s consumer privacy laws. 

What Does the CPRA Mean for Marketers and Advertisers? 

Cross-context behavioral advertising is a common strategy for online advertising and marketing. This advertising allows marketers to target consumers very specifically based on their browsing histories and other data. Many businesses use personal consumer information from third-party data for these targeted marketing strategies. But with the new restrictions coming into place with the CPRA, consumers will be able to opt-out of receiving those ads and, at an earlier level, they will be able to opt-out of having companies share that personal information with third parties. 

This has the potential to have a large impact on the way marketers and advertisers reach customers and target consumers online, limiting their ability to personalize digital advertising. Marketers, advertisers, and ad tech agencies will also need to be diligent about where any third party data is coming from and disclose any personal information they have collected about a consumer. 

What Should I Do to Make Sure My Business Is Compliant with the CPRA? 

The CPRA requires affected businesses to implement security practices regarding personal information, additional provisions in agreements between businesses and vendors about the sharing of personal information, and it requires privacy impact assessments and introduces regulatory audits from the CalPPA. 
With all of these new requirements, it is vital that businesses start working to comply with the CPRA early. Having confident legal counsel on your side can be a business’s greatest asset when it comes to changing policies and coming into compliance with a new law. The knowledgeable business attorneys at Steinberg Law can work with you to evaluate whether the CPRA will apply to your company, to update notices to consumers, to update your company’s online privacy policy, and more. With Steinberg Law on your side, you can trust your business will be ready when the CPRA becomes effective.

Contact us today to start preparing and protecting your business.

Author: kevensteinberg