California’s ‘CCPA 2.0’

CPRA strives to “share” data and not just to sell it.

While most people focus on Tuesday during the U.S. presidential election, Californians vote (or vote) for the 24th bill, the California Privacy Rights Act of 2020 (CPRA). In some circles known as ‘CCPA 2.0’, CPRA was established by its sponsors to expand and strengthen the CCPA.

CPRA is likely to be successful. The survey suggests that it is likely to be successful, with a significant majority (80%) of respondents. Although the polls fall by 20 points, the CPRA will continue to make progress, as it only needs a simple majority. Not all consumer protection organizations have tolerated this. The CPRA, for example, is against ACLU, the Green Party, and the Union.

Proposal 24 is the work of a group led by California real estate developer Alastair Mactaggart. The same group presented the original proposal for the second round of the state a few years ago and asked the California legislature to approve the CCPA, which went into effect this year. But Mactaggart sees the CCPA as a kind of ‘baseline’ and was not entirely happy with its implementation.

What will you do if it takes effect?

The CPRA will only come into effect on 1 January 2023; until then, the CCPA will remain in force. The CPRA expands consumer rights and makes new demands on companies. CPRA does the following, among others:

• Prevent businesses from sharing personal information (IP) (IP) (IP) (IP)

• Restrict the use of “confidential personal information”, including the exact location, race, religion, sexual orientation, social security information, specific health information, and other categories of intellectual property.

• Prohibit the storage of personal data for longer than necessary

• Triple the penalty for offenses involving minors under 16

• Set up a new California Privacy Protection Agency to replace the Attorney General’s Office as an implementing regulation

• Improve consumer privacy

• Create new obligations to break links

The new definition of hedged assets. The CPRA changes a bit who is a closed ‘society’ and who should respect it. In some cases, it increases coverage and in some cases promotes smaller businesses. To be a CPRA-covered company, one of the following must be present:

• The Company earns at least 50% of its annual revenue from the sharing or sale of intellectual property by consumers in California

• The company has gross sales of more than $ 25 million

• Buy, sell or share the intellectual property of more than 100,000 consumers/homes in California. Devices no longer matter

The third point is the biggest change, the increase in the number of consumers/households under CCPA by 50,000. This means that more small businesses are not covered by the CPRA. As mentioned, however, the CCPA with its lower limit will still apply until 2023.

Share, not just sell. To fill a CCPA gap that some companies have relied on to avoid compliance – we don’t “sell” data, so the CCPA doesn’t apply to us – CPRA adds the word “share.” However, the term is qualified and used specifically in connection with cross-behavioral advertising, paid or unpaid, including transactions between a business and third party contextual advertising, on behalf of a business. Where no money is exchanged.

Consumers now have the right to “end the sales session and share their personal information”. This means that companies that are otherwise covered can no longer escape compliance because they don’t sell data to third parties.

Additional consumer rights. There are several additional rules and consumer rights that are introduced or changed under the CPRA. Only some of them are:

• The ability to correct inaccurate IP addresses

• Creation of new rules for the right to revoke the use of “automatic decision technology”. This includes the consumer and employee profile in terms of job performance, economic status, health, location, and other factors. The consumer also has the right to access “relevant information on the logic involved in these decision-making processes, as well as a description of the likely outcome of the process in relation to the consumer”.

It’s unclear exactly how this second recap would translate into the real world of compliance and enforcement, but it appears to place potential limits on the use of AI/machine learning algorithms to make decisions about consumers or employees.

Because we care.

 Assuming the law is successful, there are also a number of things that could change between tomorrow and 2023, such as federal privacy laws that could prevent the CPRA. However, companies covered by the CCPA must study and understand the new requirements. They must comply with the CCPA, but they must consider how the CPRA can change some of its practices.

The impact on digital marketing can be significant. The concept of “sharing” information is much broader than selling; however, the rule of exclusion is qualified by the idea of behavioral or interest-based segmentation. It seems that it is still possible to share the data with agencies and many marketing providers.

Ultimately, it remains an opt-out scenario rather than an opt-in scenario, as in AVG. In practice, most consumers do not choose the CCPA due to the complexity and time involved. The CPRA will not necessarily change this problem. Things like the IDFA expiration and the removal of cookies can have greater consequences for marketers.

Regardless, it is important that marketers and publishers are willing to comply with the CPRA if accepted. At the same time, marketers should focus on better educating consumers about the benefits of personalization.

Translate »