In the November 2020 election, California voters passed Proposition 24, or the California Privacy Rights Act (CPRA), less than a year after the California Consumer Privacy Act (CCPA) went into effect. On a basic level, the CPRA strengthens and expands the protections from the CCPA. This new law is designed to strengthen consumer privacy protections online and hold companies accountable for unauthorized data sharing through the newly established agency, the California Privacy Protection Agency.
As a California business owner or entrepreneur, you’ll need to know how this law will affect your business. How is the CPRA different from the CCPA? Which businesses does it affect? And what legal steps should you take to make sure your business is able to move forward and comply with this new privacy law?
The CCPA was passed in 2018 and came into effect in January 2020. This law secured privacy rights for California consumers including the “right to know about the personal information a business collects about them and how it is used and shared,” “the right to delete personal information collected about them (with some exceptions),” “the right to opt-out of the sale of their personal information,” and “the right to non-discrimination for exercising their CCPA rights.” The CCPA also requires businesses to notify customers of their privacy practices. It applied to many businesses and was enforced by the California state attorney general.
The CPRA makes important expansions to the CCPA and clarifies compliance standards for businesses. Some of these changes include:
If your business meets any one of the following thresholds, it is covered under the CPRA and you will need to take steps to comply with the law.
The addition of “sharing” personal information to the CPRA expands the number of businesses required to comply with these privacy rules, impacting businesses in the ad tech industry especially. However, the increase of the number of residents businesses buy, sell, or share information on increasing from 50,000 to 100,000 means that more small businesses may be exempt from the CPRA. The CPRA also expands covered businesses to include joint ventures or partnerships in which each business in the partnership has at least 40% interest.
If you are unsure whether your business falls under the scope of the CPRA, the qualified business attorneys at Steinberg Law can help you find out.
Like the CCPA, the CPRA requires businesses to allow consumers to opt-out of the collection and sharing of their personal information online and secures additional rights for consumers regarding the use of their personal information by businesses. The basic definition of personal information from the CCPA still applies under the CPRA. Personal information is information that identifies, relates to, describes, or could be reasonably linked to a consumer or household, such as a name, email address, browsing history, and purchasing habits.
The CPRA adds a subcategory to personal information called sensitive personal information. Sensitive personal information includes government identifiers like social security numbers or driver’s license numbers, financial account and login information, precise geolocation, race, ethnicity, religious beliefs, content of nonpublic communications, genetic data, health information, sexual orientation, and similar information. This change puts additional limits on the types of information businesses can share, sell, or use for targeted advertising or similar purposes.
The CPRA will become effective beginning January 1, 2023. It will start being enforced six months later on July 1, 2023. Until then, the CCPA will continue in full force. However, the CPRA will apply to personal information collected by businesses beginning January 1, 2022.
One important provision of the CPRA will go into effect beginning earlier, on January 1, 2021. On that date, the California Privacy Protection Agency will be established to begin enforcing California’s consumer privacy laws.
Cross-context behavioral advertising is a common strategy for online advertising and marketing. This advertising allows marketers to target consumers very specifically based on their browsing histories and other data. Many businesses use personal consumer information from third-party data for these targeted marketing strategies. But with the new restrictions coming into place with the CPRA, consumers will be able to opt-out of receiving those ads and, at an earlier level, they will be able to opt-out of having companies share that personal information with third parties.
This has the potential to have a large impact on the way marketers and advertisers reach customers and target consumers online, limiting their ability to personalize digital advertising. Marketers, advertisers, and ad tech agencies will also need to be diligent about where any third party data is coming from and disclose any personal information they have collected about a consumer.
The CPRA requires affected businesses to implement security practices regarding personal information, additional provisions in agreements between businesses and vendors about the sharing of personal information, and it requires privacy impact assessments and introduces regulatory audits from the CalPPA.
Contact us today to start preparing and protecting your business.