CCPA introduced new rights for consumers to know which kinds of personal data businesses hold on them, to reject collection of this data, and to request businesses delete it or abstain from passing it on to third-parties.
While it only directly affected California residents, it had wide implications. CCPA laid a blueprint for other states to follow. But since California is the largest market in the US, it also prompted many companies to change their privacy practices altogether, not just in California.
Shortly after CCPA came into force, a stricter follow-up law was passed, the California Privacy Rights Act (CPRA). And many believe CPRA will have an even bigger impact than its predecessor.
The CPRA essentially strengthens privacy protections in California, bringing them more in line with the EU’s General Data Protection Regulation. The law adds new provisions for sensitive data, increases the range of cases where consumer consent must be granted for data to be used, and adds specific restrictions on online advertising.
As well as strengthening privacy rights, the CPRA establishes a new data protection authority, the California Privacy Protection Agency.
Enforcement of the CPRA will begin on January 1st in 2023.
The Technical Details
One of the key differences between CCPA and CPRA, at least as it applies to advertising, is that while CCPA mainly relates to the sale of personal data, CPRA relates to sharing of personal data.
The CCPA grants the right to know about the personal information a business collects about them and how it is used and shared, and the right to delete personal information collected from them (with some exceptions). But opt-out provisions only relate specifically to the sale of personal information.
CPRA meanwhile grants four specific new rights to consumers, two of which are the right to know about automated decision making which involves personal data, and the right to opt-out of automated decision making which involves personal data.
It also modifies the existing rights to opt-out, allowing California residents to opt-out specifically from businesses sharing their personal information for the purpose of behavioural advertising.
So while CCPA only really put the brakes on businesses which sell personal data to be used in advertising, CPRA required consent for any sharing and usage of personal data for behavioural advertising.
Some believe this effectively kills off most one-to-one tracking for targeting of online ads. Real-time bidding, which sees personal data shared between a host of different companies, might have to essentially be reworked in a way which either lets users explicitly opt-out of each party seeing that data, or to strip out the personal data completely.
And cookie-based tracking may well not be compliant with CDPR – which may have helped drive Google’s decision to end support for third-party cookies on Chrome.
Interestingly though, the law clearly separates personalised advertising from non-personalised advertising, and non-personalised advertising is exempt from out-in requirements. Thus, where personal data is used for things other than ad personalisation (measurement and attribution, for example), regulation might be lighter.
Beyond this advertising-specific additions, CPRA also adds GDPR-like requirements for businesses to minimise the data they store and collect, and the purposes they use it for.
And it also specifies a new type of personal data, ‘Sensitive Personal Information’ or SPI, which includes data on race, health, sexuality, religion, political beliefs and financial status. SPI receives specific protections under CPRA, including the ability for consumers to ask companies to limit the use of their SPI.
The Pros and Cons
The pros and cons of CPRA are somewhat subjective – given that its restrictions on personalised advertising could either be positive or negative depending on your viewpoint.
But simply taking CPRA as a piece of privacy regulation, there are arguments on both sides.
By adding in specific requirements around sensitive personal information, and requiring explicit opt-out capabilities for more use cases, CPRA will give more comprehensive privacy protections for consumers.
And the establishment of a specific agency to enforce CPRA should make it more effective, since enforcement of CCPA was left to the attorney general’s office.
But some privacy advocates see it as still not going far enough, or in some ways a backward step.
For a start, consent mechanisms for use of personal data are still ‘opt-out’ rather than ‘opt-in’, meaning that companies can still collect and use personal data by default.
And CPRA actually requires users to opt-out for each individual company which uses their data, rather than having a general ‘do not sell or share my data’ option which was enabled under CCPA.