California voters on Tuesday night voted to pass Proposition 24, otherwise known as the California Privacy Rights and Enforcement Act, a move that will expand the state’s current online consumer privacy protections and remove its biggest area of ambiguity for publishers.
By the latest count released by the California Secretary of State’s office at the time of writing, 56% of voters supported the measure and 44% opposed it.
The CPRA will replace the current California Consumer Privacy Act, which only took effect this year. The CPRA is set to take effect on January 1, 2023, but will apply to data collected from January 1, 2022.
“The ground is constantly shifting below these companies who are trying to comply,” said Pollyanna Sanderson, policy counsel at the Washington D.C.-based think tank the Future of Privacy Forum. “Now it’s shifted further.”
Here’s what publishers need to know about the forthcoming CPRA and how it applies to their businesses.
First it was “Do Not Sell” — now it’s also “Do Not Share”
A big criticism of the CCPA was its definition of a “sale” of personal information and whether or not that could be applied to digital advertising, where companies generally say they “share” data along the supply chain rather than sell it in the traditional fashion. Some publishers adopted the strict interpretation that they are involved with the sale of data under the law when using personal information in order to serve targeted ads; others said the law wasn’t clear enough to take that approach.
The CPRA removes that ambiguity from the law and more explicitly gives consumers the right to opt out of the “sharing” of their data. The legislation also specifically refers to the sharing of data for what it calls “cross-context behavioral advertising.” Publishers will be required to display “prominently and conspicuously” on their homepages a “Do Not Sell or Share My Personal Information” link.
“Service providers” and “contractors”
The CCPA previously provided a “service provider” designation that companies can adopt in order to process people’s personal information collected by another company without the sharing of that data being considered a sale under the law. Because the CPRA now explicitly calls out “cross-context behavioral advertising,” the service provider is no longer a valid exemption for this purpose for the many ad tech vendors publishers might use. Downstream vendors too must comply with those data subject requests.
“A service provider or contractor shall not combine the personal information of opted-out consumers which the service provider or contractor receives from or on behalf of the business with personal information which the service provider or contractor receives from or on behalf of another person or persons, or collects from its own interaction with consumers,” the CPRA states.
Less ambiguity around “sensitive personal information”
The CPRA also more clearly describes what it defines as “sensitive personal information.” It includes a lot of the data that you might expect —social security numbers, credit card numbers, sexual orientation — but also other information, such as “a consumer’s precise geolocation,” which is often used for advertising.
Under the CPRA, consumers can limit how businesses use their sensitive personal information.
“Perhaps without intent or awareness a lot of advertisers are already building ad targeting models from that kind of data,” said Cillian Kieran, CEO of data privacy company Ethyca. The CPRA “requires advertisers and publishers to have a better handle on the source of information they are using” from downstream providers, he added.
The creation of a new enforcement agency
The CPRA will create an agency called the California Privacy Protection Agency dedicated to enforcing the new privacy law. The agency has the power to fine businesses $2,500 for each violation of the CPRA or $7,500 for what it deems are “intentional violations” or those that involve minors. A “business” under the CPRA is a company that has reported gross revenue of $25 million or above in the preceding calendar year and buys, sells, or shares personal information of 100,000 or more consumers or households per year.
“Creating a regulatory body with the teeth and budget and resources to go after businesses that are noncompliant certainly makes this more real,” said Kieran. “It demonstrates the seriousness with which California at state legislator level is taking this.“
The building blocks for a federal privacy law
The CPRA is likely to provide the building blocks for other similar state privacy laws and, ultimately, perhaps a federal privacy law down the line.
“I look forward to ushering in a new era of consumer privacy rights with passage of Prop 24, the California Privacy Rights Act,” said chair of the board of advisors for Californians for Consumer Privacy and former Democratic presidential candidate Andrew Yang in a statement. “It will sweep the country and I’m grateful to Californians for setting a new higher standard for how our data is treated.”
Opt-in versus opt-out
As always, with any sort of privacy intervention, some opponents have said the CPRA still doesn’t go far enough. The major distinction between the CPRA and Europe’s General Privacy Regulation is that the former runs on an opt-out basis, whereas the latter is formed around opt-in consent, said Brian Kane, COO of privacy compliance company Sourcepoint.
“It’s odd they didn’t include a consent component,” when drawing up the CPRA, said Kane. “That would be an area I would see it evolving to at some point.”
Still, even if further CPRA-related ballots did follow this path some industry observers are confident that wouldn’t have too much of an impact on publisher revenues.
“We see the rate at which consumers provide consent [in Europe, under GDPR] tends to be north of 95%,” said Jeremy Arditi, chief commercial officer at ad tech company Teads.
In the meantime, “Opt out requires more effort on the users’ part — it’s a much more proactive approach,” said Arditi. “We strongly expect there to be a minimal impact based on that mechanism.”
Privacy ‘haves’ and ‘have nots’
Opponents have also argued that the law could create a two-tier system among those who can afford to opt out from their data being shared and those who can’t. A news publisher, for example, could give users the option of registering for a subscription rather than having to share their information for targeted advertising purposes.
The Electronic Frontier Foundation wrote in July about its concern that CPRA would lead to a rise of “pay for privacy schemes.”
“Unfortunately, pay-for-privacy schemes pressure all Californians to surrender their privacy rights,” wrote the EFF. “Worse, because of our society’s glaring economic inequalities, these schemes will unjustly lead to a society of privacy ‘haves’ and ‘have-nots.’”
Member ExclusiveMedia Briefing: Publishers and media unions are still haggling over office-return plans heading into the summer
In this week's Media Briefing, senior media reporter Sara Guaglione reports on how unions at some major media companies are pushing back against publishers' return to office mandates, with The New York Times Guild seemingly netting a victory on Wednesday.
‘He thought I was accusing him of being racist’: Confessions of a comms pro on working with out of touch leadership
The [CEO] and one of the other co-founders felt the need to point out that they mentor black people and donate to black-focused charities. 'It wasn't about them, but they were making it about them.'
As economic uncertainty grows, senior media buyers expect decent upfront pricing options across linear and digital
TV sellers face a steeper uphill climb to sell billions of ad time in advance, as market indicators look increasingly gloomy. But that's not stopping one seller from seeking aggressive pricing and volume gains.
SponsoredHow marketers and retailers are unlocking the true value of retail media
Ben Kneen, senior director of product management, Xandr It’s a challenging time for retailers in the advertising industry. As they cope with supply chain woes and inflation-related pressures, they seek high-margin revenue streams amid evolving privacy regulations and massive shifts in identity solutions — including IDFA, the deprecation of third-party cookies and more. In light […]
How Microsoft plans to storm adland: ‘Attribution, CTV, in-game ads and potential M&A’
Microsoft Advertising VP Rob Wilk explains how it plans to burnish its $10bn ad business
Inside Hearst UK’s multi-pronged approach to third-party cookie replacements
Hearst UK's Ryan Buckley and Faye Turner are testing everything from 50,000-person panels to clean rooms.