A Publishers' Guide to the California Privacy Rights Act

Jane O'Hara
Jane O'Hara
A Publishers' Guide to the California Privacy Rights Act

Last fall, we shared our Definitive Guide to the CCPA. Just one year later, we’re back to explore the latest privacy act approved by California voters: The California Privacy Rights Act of 2020, or CPRA, which appeared on California’s statewide ballot.

We’ll outline what the CPRA is, how it differs from the CCPA, and how its passage may impact publishers’ monetization efforts.

Please note: This article for informational purposes only. Please speak to a lawyer before determining how the CPRA may affect your business.

What is the CPRA?

The CPRA, or California Privacy Rights Act of 2020, serves as an addendum to the CCPA (California Consumer Privacy Act), which was passed in 2018 and went into effect this past January.

The CPRA expands California users’ access, notice, and deletion rights to align more closely with the General Data Protection Regulation (GDPR) for EU residents.

The CPRA was created by the Californians for Consumer Privacy, the same organization that drafted the CCPA. The group wanted to amend the CCPA by addressing its shortfalls and by expanding on consumers’ rights. The act was submitted to California’s Attorney General last fall with more than 900K signatures — far beyond the 600K signatures required for statewide ballot initiatives.

The CPRA will be effective January 1, 2023 and enforced July 1, 2023 by a new, dedicated agency — the California Privacy Protection Agency — which could allow greater scrutiny than California’s Attorney General.

Like the CCPA, the CPRA is an opt-out law with a one-year lookback window — in this case, for any personal data collected on California consumers starting January 1, 2022.

The CPRA also applies to large, for-profit companies doing business in California — but narrows its scope to exempt businesses that buy, sell, or share personal data on fewer than 100K users:

  • Those with $25M in annual gross revenue, and/or
  • Those that generate more than 50% of annual revenue from data sales, and/or
  • Those that “alone or in combination, annually buys or sells, or shares the personal data on 100K+ California residents or households” (vs. 50K+ under the CCPA)
  • Businesses that voluntarily comply with the law and certify themselves with the California Privacy Protection Agency
Businesses that annually buy, sell, or share personal data on more than 50K — but fewer than 100K — California users or households must still comply with the CCPA.

While the CPRA raises the threshold of applicable businesses, it tightens restrictions for Google, Facebook, and other tech giants by clarifying the CCPA’s ambiguous terms and expanding users’ rights.

CPRA vs. CCPA: How do they differ?

The CPRA has been described as “the CCPA on steroids” and builds on the current state law, which legislators could weaken over time. It offers a narrower scope and more stringent guidelines than the CCPA — as well as clarity on ambiguous terms.

Whereas the CCPA began as a ballot initiative but became a law (that can be amended through legislation), the CPRA remained a ballot initiative for voters to decide on Election Day. Now that it has passed, the CPRA can be amended only through another statewide vote — putting control in the hands of California users rather than lawmakers.

CCPA CPRA
Scope CA residents CA residents
Consent Opt-out; opt-in for minors under age 13 Opt-out; opt-in for minors under age 16
Personal information Includes pseudonymous and sensitive data for individuals and households Creates additional subcategory of ‘Sensitive Personal Information’ (SPI), including login credentials and passwords, government ID numbers (Social Security, state ID, passport) personal communications, race, ethnicity, religion, union membership, sexual orientation, biometric data (from health trackers), and precise geolocation data
Rights Includes access and deletion without penalty Includes access, deletion, __and correction__ without penalty and “through easily accessible self-serve tools” (Sec. 3A)
Opt-out requirements “Do Not Sell My Personal Information” link for California residents “Do Not Sell ___or Share___ My Personal Information” link for California residents “Limit the Use of My Sensitive Personal Information" link for companies that collect sensitive data
Enforcement California Attorney General California Privacy Protection Agency
Penalties Individuals can sue for $100 to $750 per breach or actual damages, whichever is higher $2,500 for unintentional breaches; up to $7,500 for intentional breaches Expands CCPA penalties to $7,500 for data breaches of California users under age 16

By adding “sharing” to the opt-out requirement, the CPRA clears up confusion on the CCPA’s “selling” of personal information — and will allow users to opt-out of any third-party cookie collection on websites and apps.

Key definitions and provisions for publishers

The CPRA includes several new terms and provisions that can impact publishers’ abilities to monetize and manage user data:

Contractors and third parties

The CPRA expands on the CCPA’s definition and regulation of service providers to include contractors and third parties with contractual agreements — and to align more closely with the GDPR’s regulation of “data processors.”

Under the CPRA (Section 14):

  • “Service provider” means a person that processes personal information on behalf of a business and which receives from or on behalf of the business a consumer’s personal information for a business purpose pursuant to a written contract…”
  • “Contractor” means a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract…”
  • “Third party” applies to all others who have access to a user’s personal information
Publishers that sell or share the personal information of California users will be held responsible for how that data is used and managed by their partners and ad tech vendors.
Data retention limitations

Under the CPRA, companies will be required to state the length of time users’ personal data will be retained, the criteria used to determine it — and, according to Section 4, assess that data more frequently to protect themselves against data breaches by maintaining data “longer than is reasonably necessary for that disclosed purpose.”

“Sale” and “cross-context behavioral advertising”

Section 14 of the CPRA clears up the confusion of the term “sale” under the CCPA by including “sharing” of California users’ personal data:

"Share," "shared," or "sharing" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer's personal Information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.

"Cross-context behavioral advertising" means the targeting of advertising to a consumer based on the consumer's personal Information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts._

Google, Facebook, and other walled gardens that have claimed they’re not “data sellers” under the CCPA could face new limitations to the user data required for their targeted advertising tactics under the CPRA.

As with the CCPA, the CPRA does not require an opt-out for cookies required for site/app performance, such as remembering shopping cart items, shipping information, or website analytics. The opt-out prevents data selling or sharing for commercial benefit — activities that monetize personal information for company profit.

Sensitive personal information

The CPRA allows users to opt-out of their most personal data, such as their login credentials and passwords, Social Security and passport numbers, genetic data, sexual orientation, religious beliefs, and more.

Companies that process “sensitive personal information” will have to fulfill additional requirements for data management based on users’ opt-out preferences, including annual security audits. Audit guidelines will be determined by the new enforcement agency.

According to Red Clover Advisors founder and CEO Jodi Daniels, “The CPRA moves us closer upstream to GDPR. It’s not a direct comparison, but it does allow someone the opportunity to limit the use of sensitive information.”

"Overall, companies will need to do more detailed work to understand the data they have to determine specifically what type of data is collected, used, and shared — and for what purposes."
Jodi Daniels, Red Clover Advisors

CPRA compliance

Who needs to comply

If any of the following applies to you, you’ll need to comply:

  • $25M in annual gross revenue
  • More than 50% of annual revenue from data sales
  • Bought, sold, and/or shared (for commercial purposes) personal data on 100K+ California residents or households
How to comply

Let’s break this into four steps:

(1) Conduct a data audit

We recommend a detailed audit and risk assessment of the data you have, how it’s used, and with whom you share it (as you’ve likely already done for the CCPA and GDPR). You’ll want to identify what partners you have shared data with, regardless of whether it was for a sale or a business purpose, since January 1, 2022.

For instance, if you’re doing programmatic advertising or data sales, be prepared to provide a list of everyone involved (such as ad servers, exchanges, DMPs, DSPs) to fulfill consumer requests. Group these into categories, noting that any new partner will require you to update your records.

(2) Update your privacy policy

Your privacy policy will need to:

  • Outline the new California consumer rights under the CPRA: the right to notice; right to access; right to opt-out; right to request deletion; right to data correction; and right to equal services and prices.
  • Provide detailed accounts of personal information collected, sold, and/or disclosed since January 1, 2022 (12 months prior to the law’s effective date):
    • What kind of information is collected
    • How it’s collected (cookies, registration form, etc)
    • Why the information is collected
    • How consumers may access, delete, correct, or deny collection of their information
    • How you verify consumers’ ages and obtain minors’ consent
    • How you verify consumers’ identities when accessing/disclosing information
    • A “Do Not Sell or Share My Personal Information” link to a web page, toll-free number, and/or email address (more below)

(3) Update your website

Under the CPRA, you’ll need to display a “Do Not Sell or Share My Personal Information” link for California residents:

If you’re an online-only business with direct consumer relationships, your “do not sell or share” link can direct users to an opt-out email address

If you’re not exclusively online and/or you don’t have direct relationships, your “do not sell or share” link must offer at least two opt-out options, including a web page and toll-free number. You’ll also need to provide a link to that page in your privacy policy and on your homepage footer. The CCPA defines “homepage" as “any internet web page where personal information is collected”.

(4) Make data rights actionable

You’ll want to develop an internal process to delete or correct data upon consumer request or cease data sharing upon opt-out. Most likely this will be manual, such as creating a dedicated email address the user has to contact, which is then directed to the relevant party (a product manager, IT team, ad ops, etc). That person would then enact measures to honor the request, like deleting or correcting the data from/on internal or external databases. In addition, if you do sell PII, you’ll need to exclude that users’ data from future sales, either manually or through automated exclusion lists.

For publishers doing programmatic advertising or sending ad calls to a third-party, it gets a little trickier, as you’ll have to strip PII for that user in future ad requests, including IP, mobile IDs, cookie syncing IDs, etc. There are a couple potential paths here:

  1. If you have server-side integrations with your partners, you could write the code yourself to automatically strip excluded users’ data
  2. If you are relying on JavaScript tags where you don’t have that control, you’ll need to make sure your partners have a process for honoring the user’s request. If they don’t, and you continue to send this data to those ad partners when the user visits the site/app again, this would be a violation of the CPRA
  3. Consent Management Platforms will likely be appropriated for this. These tools popped up to manage GDPR consent, with the IAB specifically building a CMP framework on how to incorporate consent into programmatic advertising. Given the nuances between the two laws, though, it’s not as easy as flipping a switch; CMP vendors will need to update their tech, which will take time
Penalties for non-compliance

It will pay (or in this case, save) to be fully compliant to avoid penalties.

Unintentional violations of the CPRA may result in fines of $2,500. Intentional breaches of the CPRA can result in fines of up to $7,500.

As with the CCPA, individual consumers can also sue for $100 to $750 per breach or actual damages, whichever is higher.

What’s next?

We expect the CPRA's passage will spark new discussions of a federal privacy law. We’ll be sure to follow those discussions and share what may be next for publishers.

As you prepare for the CPRA, here are some recommended reads that offer additional context and clarity:

Jane O'Hara
Jane O'Hara

Jane is the Senior Content Marketing Manager at Kevel. She enjoys discussing and discovering user-first ad platforms with readers everywhere.