What Is CPRA (CCPA 2.0) And Its Implications for Ad Tech?

Although the California Consumer Privacy Act (CCPA) has only been in effect for a mere 6 months and enforcement just started on July 1st, 2020, it could be the case that California’s landmark privacy regulation is overhauled by a new privacy law as soon as later this year.

Californians for Consumer Privacy, led by real-estate-developer-turned-privacy-activist Alastair Mactaggart who was the initiator of what ultimately became the CCPA, has gathered the required number of signatures to put the California Privacy Rights Act of 2020 (CPRA) on the November 2020 ballot. 

As businesses, privacy advocates, and consumers push for various forms of federal regulation to create a national standard for digital privacy, it’s crucial to monitor California as it has become the major privacy battleground since it passed the CCPA. California has and will seemingly continue to define the national conversation on personal data rights.

The CPRA 

The CPRA proposes significant amendments to the CCPA, with many of the proposed rules bearing similarity with those of the European Union’s General Data Protection Regulation (GDPR).

For instance, it will: expand the breadth of notice, access, and deletion rights that are currently set; add new privacy rights for consumers; trade secret exemptions; updated “business” definition, and add an administrative enforcement agency. The newly formed California Privacy Protection Agency would have the sole responsibility of providing guidance and regulations on various issues related to personal data privacy.  

While there are many areas of the CCPA that would be updated, this post will focus on the amendments specifically important to the online advertising ecosystem, as the CPRA introduces rules meant to address the current ambiguity surrounding AdTech and Real-Time-Bidding (RTB). 

New Opt-Out Requirements and “Sale” Definitions For AdTech 

The proposed text for the CPRA gives, now for the first time, a definition for “Cross-context behavioral advertising”:

the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts. 

While the CCPA’s existing definition of a “sale” of personal information already covered many business cases and data sharing activities that are part of the AdTech industry (we covered this and the IAB’s proposed compliance framework in a previous post), there were a host of exceptions; this lead to many companies waiting to see how broadly this definition would be interpreted by the Attorney General and courts. The CPRA considers “cross-context behavioral advertising” so important as to include a specific opt-out from this type of advertising.

This is combined with a broadening of the definition of the “sale” of personal information by adding a clause about “sharing” of such information, which now specifically targets most tracking-based AdTech, including the relaying of RTB bid requests:

If the act is passed, this would solve the uncertainty related to the meaning of the word “sale” that the CCPA (AB-375) has created. Impacted businesses will now have to offer consumers the right to opt-out from any third-party ad tech cookie collection happening on their website or app.

“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and o third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.

If the act is passed, this would solve the uncertainty related to the meaning of the word “sale” that the CCPA (AB-375) has created. Impacted businesses will now have to offer consumers the right to opt-out from any third-party ad tech cookie collection happening on their website or app.

Additionally, this clarification directly addresses the data-sharing practices of the big “walled garden” companies (such as Facebook and Google) and will severely impact their current business models. Previously, Facebook and Google have used the existing ambiguity to claim not being data-sellers.

Lastly, the CPRA introduced the right to correct or rectify personal information, as is already possible under Europe’s GDPR. As personal information already includes inferences a company draws about an individual, this may provide an opportunity for both consumers and advertisers to improve the quality and relevance of ads.

Under the CPRA a consumer could now access the information and inferences a company has drawn about them and potentially correct that information, resulting in better advertising. Advertisers could thus be incentivized to make requests a more prominent part of their customer interaction, as they may benefit by getting higher quality first-party data, assuming consumers don’t also exercise their right to opt-out of this type of data sharing as well.

“Contractors” and Contractual Obligations for “Service Providers”

The CPRA also introduces the definition of “contractors” as persons to whom a business makes available a consumer’s personal information for a business purpose pursuant to a written contract, just like the CCPA’s  “service providers” (i.e., persons who process personal information “on behalf of” a business). 

The CPRA proposes significant amendments to the CCPA, with many of the proposed rules bearing similarity with those of the European Union’s General Data Protection Regulation (GDPR).

While there has been ambiguity under the CCPA about service providers and sub-service providers (and sub-sub-service providers, etc.), the CPRA makes it clear that a contractor or service provider must notify the business if it wishes to engage any subprocessors, and it must do so “pursuant to a written contract binding the other person to observe all the requirements” of the underlying written contract it has with the business.

Additionally, the CPRA clarifies that service providers may not add any additional data to consumer profiles and gives businesses the right to “take reasonable and appropriate steps” to ensure personal information is not used for unauthorized purposes.

This impacts AdTech vendors who are processing personal information on behalf of publishers of digital property to service targeted ads and as a result, may see stronger contractual obligations, possibly involving audit rights and increased due diligence.

The CPRA would make service providers liable to uphold their compliance obligations and require them to assist with data subject requests (DSRs), similarly to the GDPR, as well as the newly introduced right to correct or rectify information. With contractors and service providers being exposed to this direct liability, AdTech vendors may look to offset the new costs and additional compliance risks by raising their fees and rates.  

Sensitive Personal Information (SPI) 

The CPRA would create a new sub-set of personal information: sensitive personal information (SPI), which is similar to the GDPR’s “special category personal data.”

SBI includes an individual’s race, religion, ethnicity, GPS or precise location information, certain biometric, genetic, health, and financial information, information from private messages (e.g., email and SMS), and any information relating to an individual’s sexual orientation or sex life, unless the information also happens to be publicly available. This imposes another obligation on businesses now having to review their data inventory for personal information that would be considered SBI and how such data is shared. 

Final Thoughts 

The CPRA initiative is a direct consequence of businesses and associations lobbying to defuse some of the more burdensome aspects of the CCPA. But unlike the CCPA, it will not go through the same legislative process and therefore will not be diluted. In an open letter announcing the initiative, which cites Facebook’s involvement with Cambridge Analytica and the security breach at Equifax, the nonprofit Californians for Consumer Privacy states that the CCPA “now seems insufficient”. The CPRA, as part of the November 2020 ballot will be a simple yes or no vote for California citizens.

Many of the amendments the CPRA proposes are directly aimed at removing ambiguity and closing loopholes of the current CCPA, which would severely impact the online advertising industry. As laid out above (and in our previous article), businesses need to weigh the impact new regulations have on their current business models, and develop strategies and systems to keep up with the quickly evolving data privacy landscape. 

With a focus on limiting businesses from collecting data without specific purpose, cross-using data, and a dedicated enforcement agency, the internal data “grab all you can” approach we’ve seen especially big tech firms use could be over. This would certainly lower the barrier of entry for data-driven markets and make companies review both business practices and business models, while having to stay on top of a fragmented and ever-changing privacy landscape.

Key dates regarding the implementation of the CPRA: