What is the California Privacy Rights Act (CPRA)?

Don Don | June 25, 2020 | data privacy

Before the California Consumer Privacy Act (CCPA) even started the enforcement phase, privacy advocates had already proposed making it tougher with stricter penalties. The California Privacy Rights and Enforcement Act of 2020 has been filed to create a statewide ballot initiative in the fall.

Update Sept 28, 2021 - California Privacy Protection Agency is seeking comments on CPRA, in particular the 8 points covered in this CPRA article.

>>> Upcoming IAB Webinar on a toolkit for CPRA compliance and readiness. The CPRA Toolkit includes a checklist of action items, CPRA contractual language, and more.

What is CPRA?

The CPRA (California Privacy Rights Act) is an expansion of the CCPA (California Consumer Privacy Act) implemented Jan 1, 2020. CPRA seeks to protect more types of privacy information, provide additional rights for consumers, establish an oversight entity, and detail rights specific to minors.

The same group that pushed the agenda on CCPA, Californians for Consumer Privacy, submitted more than 900,000 signatures to qualify the CPRA for the November 2020 ballot.

What is CCPA?

CCPA grants California consumers specific rights regarding the collection, use, storage, and sale of personal data by businesses. It is the strictest set of privacy regulations to date in the United States. CCPA enforcement by the California AG began on July 1st, 2020. It grants online users these six key rights:

  • The right to know what personal information is being collected
  • The right to know if (and how) their personal information is being shared or sold
  • The right to opt-out of the sale of personal information
  • The right to access their information
  • The right to have their personal information deleted (with exceptions)
  • The right not to be discriminated against for exercising their rights

Under the Act, a sale isn’t limited to strictly financial transactions. CCPA grants consumers rights for any data that is used for what it calls valuable consideration. The California AG ruled that includes such items as the exchange of data for targeting or ad delivery.

Under the CCPA, personal information goes well beyond items such as a user’s name, address, phone number, or biometric data such as fingerprints. It also includes cookies and browsing history, IP addresses, mobile ad IDs (MAIDS), geolocation data, device identifiers, or other interactions with ads, websites, or apps.

For more information about CCPA, visit the Megalist of CCPA Resources, Checklists, and Guidance.

How is CPRA Different than CCPA?

CPRA contains six key expansions on CCPA, going further in both consumer rights and business limitations:

  • CPRA establishes a new category of sensitive personal information (SPI)
  • Adds limitations on tracking
  • Establishers broader legal recourse rights for consumers
  • Adds specific protections for minors
  • Provides consumers a 'right of correction' for personal data
  • Establishes the California Privacy Protection Agency

Additional Consumer Rights Under CPRA

New Category of Sensitive Personal Information (SPI)

  • Social security number
  • Driver’s licenses
  • Passports
  • Religion
  • Race
  • Union Membership
  • Personal communication
  • Genetic data and other health information
  • Information about sex life or sexual orientation

Limitations on Tracking

The CPRA also strengthens language about geolocation. It would give consumers the ability to prevent businesses from tracking a consumer’s geolocation for most purposes – including advertising – within a roughly 250-acre radius.

Broader Legal Rights

It also gives broader legal rights to consumers. Besides enforcement penalties by the state, it would give consumers the right to sue businesses for negligent data breaches without having to prove and actual financial loss. Under the CPRA, if a company is negligent in proactively protecting your SPI, or items such as your email password, you may be able to sue.

Additional Protections for Minors

The CCPA prohibits the sale of any personal data of anyone under the age of 17 without expressed consent. For children under 13, it requires parental consent. Under the California Privacy Rights Act, sites are required to ask the user’s age, requires the consent to be opt-in (rather than opt-out), and triples the fines for violations.

Right of Correction

The CCPA allows consumer to request the deletion of personal data and opt-out of allowing businesses to sell personal data but does not allow corrections. The CPRA would allow consumers to request corrections to stored data if it is inaccurate.

The California Privacy Protection Agency

A key tenant of the CPRA is the establishment of the California Privacy Protection Agency to oversee privacy and act as a consumer advocate. The ballot initiative requests $10 million from the state’s General Fund. “This funding,” the initiative proposes “would equate to roughly the same number of privacy enforcement staff as the FTC (Federal Trade Commission) has to police the entire country.”

Who Does the CPRA Apply To?

Organizations do not need to be located in California to be impacted. Both CCPA and CPRA would apply to companies doing business with California residents.

What Are the Key Dates for CPRA?

Assuming the initiative passes the signature verification process, the CPRA would be on a statewide ballot on November 3, 2020. It can be passed into law by a simple majority of California voters.

If passed, several provisions go into effect immediately, including the formation and funding of the California Privacy Protection Agency. These include the following sections:

  • 1798.145(m) and (n)
  • 1798.160
  • 1798.185
  • 1798.199.10-.40
  • 1798.199.95

You can read the specifics here.

The majority of the Act would not go into effect until January 1, 2023.

Other Key Dates

  • July 1, 2021: The start date for the rulemaking process
  • January 1, 2022: a 12-month “look back” process begins. While the CPRA would not go into effect fully until January 1, 2023, it would apply to personal information collected starting January 2022 with some exceptions, such as the right to access and correct.
  • July 1, 2022: The final date for regulations to be adopted
  • January 1, 2023: Effective date and expiration of some exemptions

The idea behind this complex timeline is to given lawmakers and administrators time to finalize the guidelines. It also gives organizations time to comply.

Even after the original CCPA passed, it was amended several times and specific portions were changed, such as what qualified as “personal information.” The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018. Companies were given until January 2020 to comply and granted a 6-month “grace period” before being enforced. Effective July 1, 2020, enforcement could begin.

A similar process will be adopted by the CPRA.

What Do Publishers Need to Know about CRPA?

Just like with the CCPA, the CPRA will take significant measures to comply. Personal information will only be able to be stored and used for the specific and limited purposes permitted under the Acts. It will expand what’s considered personal information and require explicit notices for the delivery of advertising if publishers choose to sell the information or use it to target or deliver digital advertising.

The checklist for compliance with the CCPA will need to be amended to include the enhanced regulations if the CPRA becomes law. Even if it’s passed, there will be guidelines and details that will be included in future rulemaking that aren’t available today.

As a Consent Management Platform (CMP), Admiral monitors privacy consent regulations affecting online publishers across the US and globe. For questions about CMPs, visit FAQ: Consent Management.

More Data Protection Laws Are Coming

As news of data breaches, misuse of consumer data, and privacy continues to become public concerns, it’s raised the profile of data privacy for consumers. 84% of people taking part in a study by Cisco reported they want more control over the data and its use.

For publishers, this is just the beginning. A dozen states have introduced data protection and privacy legislation recently, including Illinois, Maine, Massachusetts, Nevada, New Jersey, and Pennsylvania. There is also a push to create national data protection regulations and the formation of a Data Protection Agency.

Complying with CPRA, CCPA, and GDPR

Staying up to date on all of the privacy regulations and the nuances of GDPR, CCPA, and the potential passage of CPRA can be a nightmare for publishers. That’s why so many publishers have turned to outside help from Admiral to manage their visitor privacy and consent. One of the industry’s first IAB compliant content management platforms (CMP), Admiral automatically IDs site visitors coming from California IPs, provides visitors a user interface to opt-out of data sales, and is compatible with IAB framework for sending opt-out information to downstream vendors.

Admiral can be installed with one simple tag and allow publishers to start managing visitor privacy and consent settings with five minutes of sign up.

Contact Admiral for a demo today.  

Get a Free Account Now with Revenue Analytics Dashboard

Get Admiral Free