While another vote count is getting most of the attention right now, it’s worth taking a moment to explore the California Privacy Rights Act of 2020 (CPRA), which passed on Tuesday. Known in some quarters as “CCPA 2.0,” CPRA was intended by its sponsors to expand and strengthen CCPA. What it does, when it would take effect. CPRA would not take effect until January 1, 2023; until that time CCPA would remain in effect. CPRA expands rights and imposes new requirements on businesses. Among other things, CPRA does the following: Prevents businesses from “sharing” personal information (PI) Limits use of “sensitive personal information,” including precise location, race, religion, sexual orientation, social security information, specified health information and other categories of PI Prohibits retention of personal information for longer than necessary Triples penalties for violations involving minors under 16 Creates a new “California Privacy Protection Agency” to replace the attorney general’s office as the statute’s enforcer Expands the private right of action for consumers Creates new obligations for opt-out links New definition of a covered business. CPRA slightly changes who is a covered “business” and thus who must comply. It will both expand and, in some cases, exempt businesses. For example, to be a covered business under CPRA, one of the following must be present: The business derives at least 50% of annual revenue from sharing or selling the PI of California consumers The business has gross revenue over $25 million Buys, sells or shares the PI of more than 100,000 California consumers/households. Devices no longer count The third bullet is the major change, upping the number of consumers/households from 50,000 under CCPA. This means that more small businesses will be outside the scope of CPRA. However, as mentioned, CCPA with its lower threshold would still apply until 2023. Why we care. The impact on digital marketing may be significant. The concept of information “sharing” is much broader in scope than selling; however, the opt-out rule is qualified by the idea of behavioral or interest-based targeting. This would appear to still permit sharing of data with agencies and marketing vendors. In the end, this remains an opt-out scenario rather than opt-in, as under GDPR. As a practical matter, under CCPA, most consumers do not opt out because of the complexity and time involved in doing so. CPRA wouldn’t necessarily change that. Things like IDFA deprecation and the elimination of cookies may ultimately be more consequential to marketers. There’s more analysis here >> |