New Year’s resolutions are made to be broken, but don’t include privacy compliance in that category.
Five new US state privacy laws are coming into effect in 2023, including the Virginia Consumer Data Protection Act and the California Privacy Rights Act (CPRA), both of which hit the scene on January 1.
(For anyone marking their calendars, Colorado’s and Connecticut’s respective privacy laws go into effect on July 1, 2023, followed by Utah’s law on December 31.)
Although there are important nuances between the different laws, businesses that have been working toward compliance with the CCPA and CPRA are in a good position for complying with other state privacy statutes.
But the CPRA has several unique provisions that make it a beast all its own.
The DL on CPRA
The CPRA is an amendment that expands and updates the California Consumer Privacy Act (CCPA), which has been in effect since 2020, with new requirements for data security, consumer privacy rights and enforcement mechanisms. The law is designed to work in tandem with the CCPA, superseding certain provisions and bolstering others.
CPRA passed after getting enough signatures to appear on the ballot in California during the 2020 elections. CCPA’s original backers pushed for the ballot initiative because they felt the original CCPA had been watered down by tech industry lobbyists during the legislative process.
The CPRA’s populist origins should be a wake-up call to the ad tech industry.
“It’s evidence that there was the will and a real desire by citizens to move the needle on privacy,” said Jason Kint, CEO of publisher trade group Digital Content Next.
Arguably, there should be no such thing as a TL;DR for privacy laws, because the devil is in the details. (As in, talk to your lawyers!)
In a nutshell, though, these are a few of the main differences between CCPA and CPRA:
- Taking inspiration from the GDPR law in Europe, CPRA creates a new category of “sensitive personal information,” which includes sexual orientation, racial or ethnic origin, biometrics, precise geolocation, social security number, health info – you get the drift.
- The CPRA also gives Californians the right to opt out of their personal information being shared with third parties for the purpose of “cross-context behavioral advertising.” (More on that thorny little term in a bit.)
- Businesses are already required to honor consumer data deletion requests under CCPA. Under CPRA, any third-party partners of those businesses must also honor deletion requests.
- The CPRA also confers a handful of brand-new consumer rights, including the right to request that businesses correct inaccurate personal information and the right to limit the use and sharing of sensitive personal information. Californians can also opt out of automated decision-making technology or other technology that the CPRA refers to as “profiling.”
In addition to these new consumer rights, CPRA introduces new requirements for businesses, such as data minimization (only collecting what one needs), purpose limitation (only processing data for a single stated purpose) and a data retention provision that requires companies to not keep data for too long and to routinely purge data they have no use for.
Although these are well-known concepts in Europe, they’re relatively new in the US.
“We’ve all talked a lot about the opt-out and the flow of data, but there are now these data management issues that ad tech companies also need to think about,” said Sarah Bruno, a partner at the law firm Reed Smith. “They aren’t getting as much traction on the discussion boards, but they could end up being important as the CPRA is enforced.”
Real teeth
And if there’s one thing every company should be aware of, it’s that CPRA calls for stricter enforcement, including through the creation of the California Privacy Protection Agency (CPPA), which is the first and only enforcement agency in the US solely dedicated to privacy enforcement.
Eventually, the CPPA will take over the majority of CCPA and CPRA enforcement and rulemaking responsibilities from the California attorney general’s office.
“These are laws with real teeth,” said Matt Voda, CEO of attribution and measurement provider OptiMine. “Just look at the Sephora case. That was a big shot across the bow, and we should expect more when the CPRA gets going.”
There is, however, a six-month compliance grace period. The CPPA won’t take enforcement actions until July 1, 2023.
But if you aren’t in privacy shape by summer, it’s going to be a tough beach season, because the CPRA also includes an expanded private right of action for citizens to bring cases against businesses. The CCPA already allows individuals to sue companies if their personal information is exposed in a data breach, but CPRA has a narrower definition of what constitutes personal information.
Under CPRA, consumers can bring claims against a business if their email address and password or security question is used to gain unauthorized access to their account.
“Lawsuits are going to start coming from consumers themselves, and we have to be ready to manage that, even though resources are already limited across the board,” said Sarah Polli, senior director of marketing technology at Omnicom-owned Hearts & Science. “I don’t know if enough people realize that yet.”
And speaking of surprises, CPRA has a 12-month look-back period, which means businesses are required to respond to consumer requests regarding any personal information collected going back to January 1, 2022.
The CPRA also eliminates the 30-day cure period under CCPA. Companies will only have the opportunity to remedy errors or complaints at the discretion of the California Privacy Protection Agency.
Defining terms
Yet, despite the late hour, some companies remain a little fuzzy (perhaps intentionally so) on the definitions of certain terms referenced in the CPRA.
For instance, take the difference between “sharing” and “selling.”
Under CCPA, a sale is defined as any time a consumer’s personal information is disclosed to a third party in exchange for money or “other valuable consideration.” But the CPRA introduces a new concept, that of “sharing,” which is defined as disclosing data to a third-party for cross-context behavioral advertising (CCBA) regardless of whether money changes hands.
(“Cross-context behavioral advertising” is CPRA’s way of referring to the practice of retargeting someone based on personal information about them collected across sites.)
Although sharing and selling are regulated in the same way under CPRA – and consumers have the right to opt out of both – hope springs eternal for a workaround.
As IAB executives Michael Hahn and Tony Ficarrotta point out in a recent op-ed for the IAPP, a new and “myopic” legal theory is beginning to take root that “publishers and advertisers can tell consumers they engage in CCBA by ‘sharing’ personal information, but do not ‘sell’ their personal information.”
But pretending that the CPRA has somehow created a carve-out for sharing data to support cross-context behavioral advertising is an exercise in magical thinking.
One might wonder, then, why lawmakers even bothered to make a distinction between “share” and “sell” in the CPRA.
The CPRA’s drafters likely didn’t intend to introduce a loophole, but rather close one by making sure businesses realize they also need to give consumers the opportunity to opt out of sharing, not just selling.
And there’s no excuse for businesses to hold off on compliance until there’s more clarity on how the law will be implemented, since there are still updates coming in early 2023.
“You can sit there and say, well, we need to wait for the final regs because this or that is unclear,” Kint said. “But if you do that, it’s irresponsible. You can get pretty ready right now.”
There’s no easy button (for the easy button)
Still, there are open questions about CPRA compliance, including how to implement the Global Privacy Control (GPC).
The GPC is a universal browser-based mechanism that lets users opt out of their information being shared or sold across sites and sends that signal to publishers, advertisers and third-party companies up and down the digital media supply chain.
It’s like an easy button to disseminate a consumer’s privacy preferences – well, easy from the consumer’s perspective.
Although the most recent draft of the CPRA is clear that businesses must recognize GPC signals, operationalizing the GPC is another story.
“Companies are struggling with implementation,” said Daniel Goldberg, a partner at Frankfurt Kurnit Klein & Selz, and chair of the firm’s privacy and data security group.
Which is why some companies are holding out hope that honoring GPC will end up being discretionary, because both the CCPA and the CPRA use vague language to talk about opt-out preference signals.
But there’s no point in denying reality. Just look at the recent enforcement action against Sephora under CCPA. Over the summer, California AG Rob Bonta sued the cosmetics brand for sharing consumer information with third parties to create profiles for targeting advertising (and neglecting to disclose that fact) – as well as for failing to respect the GPC as an opt-out.
Sephora paid $1.2 million to settle the suit and now has the dubious honor of being the first company fined for violating the California Consumer Privacy Act.
“We just have to wait to see where the market goes,” Goldberg said. “But, right now, it’s clear that GPC is the de facto recognized signal, and it needs to be addressed.”