TechLand Blog

California Privacy Rights Act (CPRA): A Yellow Signal to Publishers

The programmatic ecosystem aims at providing a level-playing field to all its participants. Regulations in the forms of GDPR and CPRA bear testimony to the fact that data processing can prove to be an expensive state of affairs as far as consumer privacy is concerned. 

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill passed into law in November 2020. It is deemed to be effective from 1st January 2023 and is scheduled to be enforced from 1st July 2023. The bill was introduced as an upgraded version of the California Consumer Privacy Act (CCPA). CCPA was passed in June 2018 and the act came into effect in January 2020. 

The main aim of CCPA was to ensure transparency in terms of how the user data is being used by the website owners/publishers. Only focused on the citizens of the U.S state of California, CCPA required various clarifications on multiple grounds. Thus, it was amended and passed as the California Rights Privacy Act in 2020. This act shall apply to all the businesses dealing with the residents of California and has certain revisions in terms of defining terms like ‘Sharing’ and ‘Sensitive Personal Information’ 

Let’s understand the various rights guaranteed under this act and why should it concern publishers in the programmatic ecosystem.

Overview of CPRA

1. The California Privacy Rights Act (CPRA) has established a California Privacy Protection Agency (CPPA) to enforce, regulate and effectively implement the Act.

2. The CPRA has incorporated new and expanded definitions of a few crucial terms. These include the following:

a. Sharing: The Act defines sharing as the ‘disclosure of personal information to a third-party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.’

b. Business: This now includes bigger businesses that generate a large income from the collection, sharing and/or selling of California’s personal information. 

c. Sensitive Personal Information: This add-on category in the definition of personal information includes regulatory requirements based on Social Security Number (SSN), Passport Numbers, Bio-metric data and genetics, etc. 

d. Publicly Available Information: This definition has been expanded and includes ‘Information that a business reasonably believes has been lawfully made available to the general public from widely distributed media or by the consumer’ and ‘information given by a person to whom the consumer has disclosed the information- if the consumer hasn’t limited the information to a specific group of people ‘

3. The CPRA has also expanded consumer rights. These include:

  • The right to opt-out of sharing personal information
  • The right to correct and delete personal and inaccurate information
  • The right to opt-out of automated decision-making and profiling
  • The right to access data
  • An expanded private right to the action

4. The CPRA has also included provisions to make businesses responsible for how the third parties use, share or sell the personal information collected by the businesses. Moreover, it also requires businesses to actively implement “reasonable security procedures and practices” in the form of annual cybersecurity checks to protect the data collected from any form of mishandling. 

Why should CPRA bother the Publishers?

It isn’t rocket science to understand that in the digital advertising space, the most valuable asset to the publishers is user data that enables them to takes marketing decisions effectively. With CPRA in place, the same users now have the right to demand where, why, and how is their personal information being used. Moreover, as an expanded right, the users also have the right to opt-out of sharing their personal data without providing any justification for it. 

Therefore, these provisions now require the publishers to be more transparent to the users in terms of revealing how they use such data. Moreover, CPRA is fine-regulated. For intentional violation of the Act, the fine is set at $7,500 and for non-intentional violation, the same is set at $2,500. Moreover, the user can always file a lawsuit against the company on grounds of non-compliance which, if proven, may severely damage the company’s reputation.

As users can ask their data to be deleted at any point, publishers are now required to carefully monitor their privacy policy and ensure strict compliance with CPRA. 

CPRA vs GDPR – Know the difference


Leave a Reply

Your email address will not be published. Required fields are marked *