With the California Privacy Rights Act (CPRA) passage (aka Prop 24), the CCPA, already strict in its interpretation of PII, expands consumer rights and places new requirements on businesses. A few loopholes close, definitions gain clarity – and it becomes even more imperative to educate and notify consumers on data use, personalization, and so forth. Social media and other tech-related businesses will need to double down on how they collect and use information, particularly when you consider ad personalization.
The somewhat good news? You have a couple of years to get your ducks in a row for the CPRA. January 1, 2023, is the current effective date. In the meantime, you still need to comply with CCPA as it stands, while preparing for the California Privacy Rights Act.
Are you a CPRA Covered Business?
Here’s how to know if it applies to you and your business. The first one is the biggest change.
- Does your business buy, sell, or share personal information (PI) of more than 100,000 California consumers or households? Note – the increase of 100,000 from 50,000 means more small businesses are exempt from compliance – after January 1, 2023.
- Do you have gross revenue of more than $25 million?
- Does your business get at least 50% of its yearly revenue from the sharing or selling of California consumer PI?
If you answer “Yes” to any of the above, you’ll qualify as a Covered Business and will need to comply with the Act by January 1st of 2023.
Going away: the “Share” vs “Sell” Loophole.
Yep. That squirmy definition is going, going, gone. The Act goes beyond the CCPA to include “sharing” PI. You will need to understand the full context of how “sharing” is defined, however. Here’s the legalese of that excruciatingly qualified term:
“cross-context behavioral advertising . . . whether or not for monetary or other valuable consideration, including transactions between a business and third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
Also because of this loophole closure, California consumers must be able to opt-out of both the sharing or the selling of PI. As I mentioned above, companies and websites – like Google, Facebook, etc. – do a lot of ad personalization. As “free” platforms, that’s how they make money is through advertisers, third-party data collection, and so forth. Prop 24’s passage potentially impacts their bottom line negatively.
There’s more that we can dig into in later articles, such as how digital marketing will need to change, what happens should federal privacy laws change that would pre-empt CPRA, even how AI or automated procedures could be affected.
In the interim, begin looking at what affects your business. It’s never too early to begin preparing.
Apgar & Associates’ Julia Huddleston, CIPP/US, CIPM, CCSFP works with clients on certification prep, such as for SOC2 and HITRUST, as well as compliance assessments, security risk analyses, policy and procedure review, and implementation. Contact her at 503-384-2538 with questions about your company’s certification and compliance situations.