Blog 7 min 11/10/2020

CPRA: The Implications on the Ad Tech Industry

On November 3, 2020, Californians voted the California Privacy Rights and Enforcement Act (CPRA, CCPA 2.0 or Prop24) into law. The CPRA makes a variety of amendments to the requirements in the California Consumer Privacy Act (CCPA), including requirements that will directly impact the ad tech industry.

Although provisions in the CPRA will not go into effect until January 1, 2023, many publishers and advertisers will need to understand and prepare for these requirements ahead of time to stay ahead of the curve.  

Here are the highlights the ad tech landscape should especially pay attention to:  

New Definition for Sensitive Personal Information  

The CPRA has defined a new type of personal information called Sensitive Personal Information. This definition includes information such as driver’s license, social security and passport numbers, consumer account logins, precise geolocation, the content of the email, genetic information, sexual orientation, and more.  

Under the CPRA, consumers will have the right to direct a business to limit the use of sensitive personal information to what is needed to perform services or provide goods. To fulfil this right, businesses will need to create a “Limit the Use of My Sensitive Personal Information” link, much like the “Do Not Sell My Personal Information” link already required under the CCPA.  

Expansion of “Do Not Sell” to Include “Do Not Share”  

The CPRA introduces the concept of “sharing data” for ad targeting, which is similar to the sale of data but not in return for money or valuable consideration.  The law will give consumers the right to opt-out of the “sharing” of their data, making it harder for advertisers to target consumers based on data shared about them.  The new act will allow for consumers under 16 years old to opt-in to the sale and sharing of data, with consumers under 13 requiring parental consent to opt-in

CPRA also specifically calls out cross-contextual behavioural advertising.  Consumers will be able to opt-out from receiving ads third-party data and online behaviors. Publishers will be required to display a “Do Not Sell or Share My Personal Information” link on their homepage to allow consumers to opt-out from receiving targeted ads based on third party data and online behaviors.    

Previously, the CCPA allowed “service providers” to process people’s personal information collected by another company without the sharing of that data being considered a sale under the law. T The CPRA now explicitly calls out “cross-context behavior advertising”. As a result, ad tech vendor publisher may no longer use service provider processing as a valid exemption. Downstream vendors will be obligated to comply with those data subject requests. 

The CPRA states, “A service provider or contractor shall not combine the personal information of opted-out consumers which the service provider or contractor receives from or on behalf of the business with personal information which the service provider or contractor receives from or on behalf of another person or persons, or collects from its interaction with consumers.” 

Updated Consumer Rights  

The CPRA provides consumers with a variety of new consumer rights. As mentioned above, the term “share” has been added to refer to the sharing of personal information to a third party for cross-context behavioral advertising purposes, regardless of whether or not monetary or another valuable consideration is exchanged. As such, the CPRA now includes the right to opt-out of sharing personal information, and the original “Do Not Sell” link has been adjusted to “Do Not Sell or Share” to reflect this new right.  

Additionally, consumers will have the right to correct inaccurate personal information. Businesses must take reasonable steps to do so after verifying the consumer’s identity. In order to be fully compliant businesses should implement internal processes to rectify inaccurate personal information.  

The existing right to access has also been amended. Specifically, in the CCPA, businesses were only required to provide information from the twelve months preceding the access request. In the CPRA, however, the twelve-month limit has been removed. If the information is held maintained for more than twelve months, a business may have to provide more information than it did under the CCPA.  

 The Creation of a New Enforcement Agency  

Under the CPRA, there will be an agency called the California Privacy Protection Agency dedicated to enforcing the new privacy law. As enforcement begins, the agency will fine businesses $2,500 for each violation of the CPRA or $7,500 for “intentional violations”. As a reminder, a “business” under the CPRA is a company that has reported gross revenue of $25 million or above in the preceding calendar year and buys, sells, or shares personal information of 100,000 or more consumers or households per year. 

These are only some of the changes that can be found in the CPRA. However, these topics create a solid starting point for businesses looking to start adjusting their practices in preparation for the CPRA. While the effective date of January 1, 2023, seems far away, we all know how quickly that day will come, and it is a good idea for businesses to begin thinking about necessary changes sooner rather than later.  

Further CPRA and CCPA reading:

Next steps on CPRA:


Onetrust All Rights Reserved