Even though the California Consumer Protection Act (the “CCPA”) is still wet behind the ears – only becoming effective on January 1, 2020 – California voters decided in November 2020 to amend and expand the CCPA by passing the California Privacy Rights Act (the “CPRA”). You may have finally got to the point of understanding the intricacies and ambiguities of the somewhat rushed CCPA, but now you will need to learn and comply with a whole new set of expanded requirements relating to your collection and use of consumer data.
The good news is that the CPRA does not become effective until January 1, 2023, so you have some time to prepare (although there is a twelve-month look back period). The bad news is that unlike the CCPA, which could be amended by the California legislature to be less restrictive, the CPRA may be amended to make it less restrictive only by a subsequent proposition approved by California voters.
The CPRA seems to take aim at what is commonly-known as “Targeted Advertising.” The CPRA uses the term “cross-context behavioral advertising” to refer to targeted advertising. The CPRA defines “cross-context behavioral advertising” as the “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” Basically, the broad definition covers a business’s collection of a consumer’s personally identifiable information (“PII”) across third-party digital properties for the purposes of targeted advertising.
While the CCPA applied to businesses (e.g. agencies, technology providers) that make the majority of their revenue from selling consumers’ PII, the CPRA expands the applicability of the CCPA to also include businesses that make the majority of their revenue from sharing PII. The CPRA’s definition of “sharing” is rather broad and vague. Under the CPRA sharing is defined as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
Under the CCPA, the opt-out right restricts sharing of PII only for advertising purposes in exchange for money or other valuable consideration. In other words, businesses must give consumers the right to opt out of that business selling the consumer’s PII to a third party. To easily allow consumers to opt out of having their PII sold to third parties by businesses, the CCPA requires businesses to post a clear and conspicuous link on their website that says “Do Not Sell My Personal Information.” The CPRA expands this right. Under the CPRA, consumers will have a separate right to opt-out of “sharing” personal information; that is, the disclosure of their personal information for targeted advertising. Businesses will be required to inform consumers of this new right through a clear and conspicuous link on their website that says “Do Not Sell or Share My Personal Information.” It would replace the currently mandated “Do Not Sell My Personal Information” link.
The CPRA will no doubt be a challenge for the targeted advertising industry. The above are only some of the changes found in the CPRA that will affect marketers. While the effective date of January 1, 2023, may seem far away, we all know how quickly that day will come, and it is a good idea for businesses to begin thinking about necessary changes sooner rather than later.