WTF is California’s new, and potentially stronger, privacy law?
Sure, the California Consumer Privacy Act only took effect this year, and the enforcement period only began July 1. But yes, California may pass a second privacy law by year’s end. It’s called the California Privacy Rights Act, and it’s basically the CCPA on steroids.
WTF is the California Privacy Rights Act?
The CPRA is effectively a proposed addendum to the California Consumer Privacy Act, the privacy law that was passed by the state legislature in June 2018. It took effect on January 1 and the California Attorney General’s office began enforcing on July 1. But it’s only a ballot initiative at the moment. California’s Secretary of State announced on June 24 that the CPRA will be put to California residents for a vote on in November. If approved, the CPRA won’t take effect until January 1, 2023, but — similar to how the CCPA covered data collected the year prior to the law taking effect — it will apply to data collected starting January 1, 2022.
WTF is California doing with another privacy law?
The people behind the CPRA — an organization called Californians for Consumer Privacy — don’t think California’s other, just-enacted-this-year privacy law is strong enough. They are also the same group—led by Alastair Mactaggart—that came up with the ballot initiative that formed the basis for and was replaced by the CCPA, so they would know.
How does the CPRA make the CCPA stronger?
For starters, it creates a government agency — called the California Privacy Protection Agency — specifically dedicated to enforcing California’s privacy laws. The CCPA enlisted the state’s AG’s office to enforce the law, but as overseer of the state’s entire legal and law enforcement arm, the AG’s office has a lot on its plate. That could explain why it took until June 2, less than a month before the AG’s office could begin enforcing the CCPA, for the AG’s office to submit the supposedly final draft of the rules it would use to enforce the CCPA. Creating an agency whose sole purpose is to enforce the CCPA and the CPRA would likely lead to more businesses’ compliance practices being scrutinized and companies being potentially penalized.
Additionally, the CPRA makes companies responsible for what other companies do with California residents’ personal information that is collected by the former and shared with the latter. For example, the law would require that a company monitor that service providers — like ad tech firms processing publishers’ data to facilitate ad targeting — don’t add California residents’ data to the service provider’s own database of consumer profiles unless the company and service provider signed a contract agreeing to that use.
It also puts the service providers on the hook for helping the companies that collected a person’s personal information to comply with requests related to that information, such as deleting it. The CPRA will also give people the option to correct the personal information that companies have collected from them, which could be a way to finally tell the ad tech ecosystem that you, in fact, actually bought those shoes three months ago so all the retargeting can stop please.
Wait, go back. The rules stating what companies need to do in order to comply with the CCPA weren’t available until June 2?
Not exactly. The AG’s office sent out the first draft of its proposed regulations back in October. But then there was a public comment period that led to revisions and then more revisions. The final regulations weren’t so different from the previous draft submitted in March, which confirmed Do Not Track signals can double as opt-outs under the CCPA. And anyway, even though the AG’s office is supposed to have been able to enforce the CCPA starting on July 1, it has to wait until the California Office of Administrative Law approves the regulations. As of July 2, the AG’s regulations were still under review.
So the CCPA is still being sorted out and now businesses might have another privacy law they’ll need to comply with?
Yes. But the CPRA could help businesses to figure out how they need to comply with the CCPA by clearing up its murky definition of sale.
How would the CPRA clarify the CCPA’s definition of sale?
The CPRA would set a new category to describe what companies may do with the personal information they collect from California residents. The CCPA defined a sale as exchanging data for some type of financial consideration, a murky definition that probably applies to targeted advertising, but not everyone is convinced. Plus, some companies don’t want to say they’re selling people’s information unless they are directly trading data for dollars. The CPRA settles both issues by splitting sharing people’s personal information into its own category but with the same requirements applied to the data that companies sell. So it’s a semantic issue, but because this is legalese we’re talking about, it was a significant issue.
Does the CPRA introduce any changes to what is considered personal information?
Yes, by creating a new sub-category of personal information: sensitive personal information. Sensitive personal information includes log-in credentials, precise geolocation (like GPS coordinates), race or ethnicity, biometric data and any data related to someone’s “sex life” or sexual orientation.
Why does the CPRA create a sub-category of personal information?
To make California’s privacy laws less onerous on businesses in a way, it seems. The distinction between data types will allow California residents to tell businesses to treat their sensitive personal information, like their religious beliefs, differently than their regular personal information, like unique device identifiers. If California residents only care to regulate companies’ collection and use of their sensitive personal information, companies may not lose out on the, implicitly, non-sensitive personal information they might use for ad targeting purposes.
What if California residents vote against the CPRA?
That’s a possibility. But even more likely, the CPRA may be off the ballot by November. The CCPA was supposed to be a ballot initiative, but state legislators opted instead to pass it into law themselves so they could amend it. They could do the same with the CPRA, even though one of the CPRA’s aims is to prevent California lawmakers from weakening the state’s privacy laws. So hang tight. One of these days, California’s legal privacy picture will come into focus.
Health app makers are on notice amid FTC data rule refresh, but some privacy experts say the regulator has gone too far
The Federal Trade Commission will begin applying an old rule governing health data privacy and security. Some privacy experts say it's a convoluted approach that already is causing confusion.
‘I’m ambitious for us’: How Peloton CMO Dara Treseder made community her selling point
A year into her role as Peloton's svp and head of global marketing, Dara Treseder discusses spinning storytelling in service of community.
‘We’re all figuring out what our new reality is’: How DTC underwear brand Thinx is diversifying its media mix with more OOH
As a cookieless future and Apple's data privacy updates loom over advertisers, at least one DTC brand is diversifying its ad spend by doubling down on OOH efforts.
SponsoredHow legacy publishers are transforming into profitable streaming channels
Navdeep Saini, co-founder and CEO, DistroScale, parent company of DistroTV Connected TV (CTV) has become one of the fastest developing channels in advertisers’ marketing mix today. The pandemic led to an increase in CTV consumption, with 75% of consumers watching more streaming content than before quarantines set in. With streaming viewership continuing to gain momentum, […]
Pay On Demand: Immediate payment for work growing in popularity as tech companies fight for talent
On-demand pay could be just the ticket for industries like the restaurant business struggling to find and keep workers in key roles.
Misfits Gaming partners with The E.W. Scripps Company in a bid to bring esports content to Floridian television viewers
Misfits’ is the most prominent Florida-based esports organization. Both its Call of Duty League team and its Overwatch League squad are based in the Sunshine State.