On Election Day, California voters approved a ballot measure, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA). Referred to by some as CCPA 2.0, the CPRA amends certain provisions of the paradigm shifting 2018 California Consumer Privacy Act (CCPA), which went into effect in January 2020 and became subject to enforcement in July 2020. Moreover, the CPRA will introduce a number of new provisions and concepts to a law that regulators are still fleshing out and businesses are struggling to understand. Like the CCPA, the CPRA will be supplemented by future regulations to be issued by a new privacy protection agency; however, the nature and the extent of the CPRA’s regulatory mandates far exceed those of the CCPA.
The CPRA will significantly impact consumer’s rights and business obligations in respect of interest-based advertising and other AdTech activities. The CPRA gives a nod to the GDPR and will regulate “profiling,” which it defines as “any form of automated processing…to evaluate…personal preferences, interests…[or] behavior,” though is also to be fleshed out in the Regs. Another one of the significant new terms implicating digital advertising is that of “cross-context behavioral advertising,” defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application or service with which the consumer intentionally interacts.” This definition clearly covers traditional interest-based advertising activities and is directly invoked in the new concept of “sharing,” which includes the same transfer activities in the definition of sale (e.g., “making available”), but applies only in the context of cross-context behavioral advertising. There is no requirement for consideration for a transfer of PI to be considered to have been “shared.” Arguably, by creating a distinct regulated activity rather than clarifying that this activity is type of “sale”, many cross-context behavioral activities (i.e., those without valuable consideration provided directly in exchange for the data disclosure), would now be excluded from the definition of “sale” and implicate only sharing and not sales. In addition, the new definition and provisions regulating the use and disclosure of sensitive PI includes precise geolocation data and other data used in interest-based advertising.
As a result, as if businesses have not struggled enough with the vexing “Do Not Sell” right under the CCPA, in particular as it relates to digital advertising, they will have to grapple with four seemingly overlapping consumer rights under the CPRA: 1) Do Not Sell, 2), Do Not Share, 3) Do Not Profile, and 4) Limit the Use of Sensitive PI. Moreover, some consequential revisions open the door to a possible opt-in regime.