Californians just voted to pass Proposition 24, the California Privacy Rights Act of 2020 (CPRA). It will go into effect on January 1, 2023. The CPRA will change some of the language found in the California Consumer Privacy Act (CCPA) which went into effect this year. It will also require businesses to comply with additional privacy regulations. This will have significant impacts on consumers and marketers alike.
What does it do?
The CPRA grants consumers additional rights and expands the compliance obligations of businesses who collect, process, or use the personal information of California residents. Here are some examples:
- Prevents businesses from “sharing” personal information
- Limits businesses’ liability for violations of the law by third party businesses
- Prohibits retention of personal information for longer than necessary
- Creates new obligations for opt-out links
Who Must Comply?
CPRA slightly changes the definition of a “business” and therefore who must comply with the new rules. Though the requirements are expanding, in some cases, businesses may be considered exempt. For example, if a business is expected to comply with the CPRA, one of the following must be present:
- The business derives at least 50% of annual revenue from sharing or selling the personal information of California consumers
- The business has a gross revenue of over $25 million
- The business buys, sells, or shares the personal information of more than 100,00 California consumers/households.
The last bullet point is a major change, increasing the number of consumers or households from 50,000 under CCPA to 100,000. This means that more small businesses will be exempt from the rules of the CPRA. However, the CCPA with the lower threshold of 50,000 consumers or households will still apply until 2023.
Sharing vs. Selling Data
The CPRA adds the word “sharing” data to go along with “selling data.” Many businesses claimed not to sell data, but share it, meaning they could avoid complying with the CCPA rules. The term “sharing” data is used specifically in connection with behavioral advertising. This means that whether or not businesses exchange data for monetary value, including transactions between a business and third-party, they are required to comply with the CPRA.
Consumers will now have a right to opt-out of the sale or sharing of their personal data. This means businesses that fall under the scope of the CPRA can no longer avoid compliance just because they don’t sell data to third parties.
Improved Consumer Rights.
There are several new rules and consumer rights that are introduced or modified in the CPRA. Here are some examples:
- The ability to correct inaccurate personal information in possession of the business
- Creation of new opt-out rights connected with the use of automated decision-making technology.
- The consumer also has a right to limit the use of sensitive personal information like race, ethnicity, political beliefs, or sexual orientation. Businesses must inform consumers if they are collecting sensitive personal information and for what purpose.
These new regulations require businesses to be more transparent surrounding how and why they are collecting personal information. The CPRA gives the consumer more control over their personal information and to what extent their data is being collected.
Why Do We Care?
Many things could change between now and 2023 – such as federal privacy legislation that potentially preempts CPRA. That being said, companies affected by the CCPA should understand the new requirements introduced by the CPRA. Continue to comply with the CCPA but prepare to change some operational practices by 2023 when the CPRA goes into effect.
It is anticipated that the CPRA will have a significant impact on digital marketing. The concept of “sharing” information is much broader than selling. However, the sharing of data with agencies and marketing vendors will still be permitted.
In summary, this is still an opt-out scenario rather than an opt-in. Most consumers do not opt-out because of the time involved in doing so. The CPRA wouldn’t necessarily change that. Regardless, it is still important for marketers and publishers to prepare to comply with CPRA.