California’s ‘CCPA 2.0’ is probably going to pass, here’s what changes
CPRA takes aim at data 'sharing' and not just sales.
Update 11/4: The California Privacy Rights Act passed on Tuesday.
While most people are focused Tuesday on the U.S. presidential election, Californians are voting (or have voted) on ballot proposition 24, the California Privacy Rights Act of 2020 (CPRA). Known in some quarters as “CCPA 2.0,” CPRA was intended by its sponsors to expand and strengthen CCPA.
CPRA will probably pass. Polling suggests it’s likely to pass, with a significant majority (80%) of those surveyed in favor. Even if polling is off by 20 points, CPRA will still go through because it only requires a simple majority. However, not all consumer advocacy organizations have lined up behind it. For example, CPRA is opposed by the ACLU, Green Party and League of Women Voters.
Proposition 24 is the work of a group spearheaded by California real estate developer Alastair Mactaggart. The same group generated the original state-ballot proposition several years ago that pressured the California legislature into passing CCPA, which went into effect this year. But Mactaggart sees CCPA as a kind of “baseline” and has not been fully satisfied with its implementation.
What it does, when it would take effect. CPRA would not take effect until January 1, 2023; until that time CCPA would remain in force. CPRA expands consumer rights and imposes new requirements on businesses. Among other things, CPRA does the following:
- Prevents businesses from “sharing” personal information (PI)
- Limits use of “sensitive personal information,” including precise location, race, religion, sexual orientation, social security information, specified health information and other categories of PI
- Prohibits retention of personal information for longer than necessary
- Triples penalties for violations involving minors under 16
- Creates a new “California Privacy Protection Agency” to replace the attorney general’s office as the statute’s enforcer
- Expands the private right of action for consumers
- Creates new obligations for opt-out links
New definition of a covered business. CPRA slightly changes who is a covered “business” and thus who must comply. In some cases it expands coverage and in one specific instance, exempts more small businesses. To be a covered business under CPRA, one of the following must be present:
- The business derives at least 50% of annual revenue from sharing or selling the PI of California consumers
- The business has gross revenue over $25 million
- Buys, sells or shares the PI of more than 100,000 California consumers/households. Devices no longer count
The third bullet is the major change, upping the number of consumers/households from 50,000 under CCPA. This means that more small businesses will be outside the scope of CPRA. However, as mentioned, CCPA with its lower threshold would still apply until 2023.
Sharing not just selling. To close a CCPA loophole that some businesses have relied upon to avoid compliance — we don’t “sell” data so CCPA doesn’t apply to us — CPRA adds the word “sharing.” The term, however is qualified and used specifically in connection with “cross-context behavioral advertising . . . whether or not for monetary or other valuable consideration, including transactions between a business and third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
Consumers now have a right to “opt-out of the sale and sharing of their personal information.” This means otherwise covered businesses can no longer avoid compliance because they don’t sell data to third parties.
Additional consumer rights. There are a number of additional rules and consumer rights being introduced or modified under CPRA. Just a couple of those are:
- The ability to correct inaccurate PI in possession of the business
- Creation of new rules governing opt-out rights connected with use of “automated decision making technology.” That includes consumer/employee profiling tied to work performance, economic circumstances, health, location and other factors. The consumer also has a right to access “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”
It’s not exactly clear how this second bullet would translate into the real-world of compliance and enforcement, but it appears to impose potential limits on the use of AI/machine learning algorithms to make business decisions about consumers or employees.
Why we care. Assuming the law passes, there are also any number of things that might change between tomorrow and 2023 – such as federal privacy legislation that potentially preempts CPRA. However, companies subject to CCPA should study and understand the new requirements. They should continue complying with CCPA but need to consider how CPRA might change some of their operational practices.
The impact on digital marketing may be significant. The concept of information “sharing” is much broader in scope than selling; however, the opt-out rule is qualified by the idea of behavioral or interest-based targeting. This would appear to still permit sharing of data with agencies and many marketing vendors.
In the end, this remains an opt-out scenario rather than opt-in, as under GDPR. As a practical matter, under CCPA, most consumers do not opt out because of the complexity and time involved in doing so. CPRA wouldn’t necessarily change that issue. Things like IDFA deprecation and the elimination of cookies may ultimately be more consequential to marketers.
Regardless, it will be important for marketers and publishers to get ready to comply with CPRA, assuming it passes. Marketers should be focused in tandem on better educating consumers about the benefits of personalization.