A Publisher’s Handbook : CCPA 2.0 (CPRA)

CPRA : New for Publishers 

Here are some potential aspects that could be relevant to publishers:

1. Sensitive Personal Information Category: The CPRA introduces a new category called “sensitive personal information,” which includes data such as Social Security numbers, financial account information, precise geolocation data, racial or ethnic origin, genetic data, and more. Publishers need to handle sensitive personal information with additional care and may need to obtain explicit consent from consumers to process this type of data.
2. Expanded Opt-Out Rights for Cross-Context Behavioral Advertising: Publishers engaging in cross-context behavioral advertising (targeted advertising based on user behavior across different websites and platforms) are subject to expanded opt-out requirements. The CPRA extends the opt-out right to cover the sharing of personal information for such advertising purposes.
3. Data Retention Limits and Purpose Limitation: The CPRA emphasizes data minimization and purpose limitation by requiring businesses, including publishers, to limit the retention of personal information to what is necessary for the purposes for which it was collected. This could impact how long publishers retain user data and the justifications for doing so.
4. Children’s Privacy and Consent: The CPRA enhances privacy protections for minors. For users under the age of 16, publishers may need to obtain opt-in consent for the collection and sale of their personal information. For users under the age of 13, opt-in consent is required from a parent or guardian.
5. Enforcement and Fines: The CPRA establishes the California Privacy Protection Agency (CPPA) as the enforcement authority for both the CCPA and CPRA. This agency has the authority to enforce penalties for violations. Fines for non-compliance, especially in cases involving the personal information of minors, can be significant.
6. Right to Correct Inaccurate Personal Information: The CPRA introduces a new right for consumers to correct inaccurate personal information held by businesses. Publishers need to have processes in place to handle such correction requests.
7. Joint Liability for Data Sharing: If publishers share data with third parties, the CPRA introduces the concept of joint liability. This means that if a third party misuses the data, both the third party and the business that shared the data can be held accountable.
8. Impact on Service Providers and Contractors: The CPRA clarifies and refines the definitions and relationships between businesses, service providers, and contractors. Publishers need to understand these relationships to ensure proper compliance.
9. Updated Privacy Policy Requirements: The CPRA introduces new requirements for privacy policies, including the need to disclose retention periods for different categories of personal information.
10. Data Protection Impact Assessments (DPIAs): The CPRA gives the CPPA the authority to require businesses, including publishers, to conduct and submit DPIAs for certain high-risk data processing activities.

Modifications to CCPA by CPRA:

1. Opt-out of Cross Context Behavioral Advertising :  The Consumer Data Protection Act (CCPA) contains a provision that permits consumers to prohibit publishers from selling data to third parties. However, given the ambiguity of the term ‘sell’, many publishers engaged in cross-promotion behavioral advertising were excluded from this provision. Due to the fact that behavioral advertising does not necessitate the ‘sale’ of customer data, it has left many consumers and digital advertisers perplexed. However, the Consumer Product Rights Authority (CPRA) has clarified this ambiguity by incorporating the concept of the “sharing” of consumer data into its scope of application. Under the CPRA, the consumer has the right to “opt-out” from the context of behavioral advertising. This will prevent businesses from using their personal data to sell or share for advertising purposes. In addition, according to the CPRA, the definition of Cross-Cultural Behavioral Advertising is as follows: “Cross-cultural behavioral advertising” refers to targeted advertising that uses a consumer’s personal information collected from their online activity across distinct brands of websites, brands of businesses, brands of applications, brands of services, and brands of products other than the targeted business, brand of application, brand of website, or brand of service that the consumer deliberately interacts with.”
2. Contractual Requirements :  Under the CPRA, businesses must enter into appropriate contracts with their SPSPs and contractors to restrict the storage, use, or disclosure of personal data for any purpose other than the scope of the contract. These contracts will allow businesses to control the consumer data that they share with other parties by monitoring compliance with the terms of their contract. Businesses may conduct a review, automated assessment, and audit at least once per year to make sure the consumer data is not sold or made available by their SPSPs outside of the scope of the agreement. 
3. Security Audit :  Under the CCPA, publishers are required to take reasonable steps to protect the privacy of consumer data. However, under the CPRA, the requirements are even stricter. Under the new rules in the CPRA, those who collect personally identifiable information (PII) about consumers are required to conduct an annual cyber security audit and provide the CPPA with a risk analysis report. The risk assessment should consider the potential risks and benefits associated with the processing of consumer data. If the benefits outweigh the risks, then the CPPA can restrict or prohibit the processing of such data under the CCPA or the CPRA. 

Penalties for Violations:

If a publisher is non-compliant and is found to be in violation of the CPRA, civil penalties are $2500 to $500 per violation and $750 to $1,000 per violation if the court finds that the violation was intentional. The new CPRA also has a new $7500 penalty for violations (unintentional) of consumer privacy of minors. The law also makes it clear that providers of third-party services will be held accountable for any violations. Since publishers are responsible for protecting consumer data they collect, any violations of the law by third-party providers can also result in penalties for the publisher if they do not have a contractual agreement to protect consumer data. In addition, the CPRA has removed the provision in CCPA that allows a publisher or a business to avoid penalties if it can address and correct the violations within 30 days after being notified. 

Right of Private Action:

The CCPA gives consumers the right to take private action against a business for a breach of consumer’s personal information or sensitive personal information. This means consumers can sue companies for a breach of their personal information. 

However, the CPRA has changed the scope of this right to allow consumers to take private action only in the case of a breach of unencrypted and unredacted data. The CPRA also includes breaches involving ‘email addresses in combination with passwords or security questions and answers that may grant access to an account’, subject to a consumer’s right to a private action. 

In the event of a breach, consumers can seek damages from the court for damages ranging from $100 to $750 per consumer for each incident, or actual damages up to $1 million, whichever is greater, as well as injunctive and declaratory relief, or any other relief deemed appropriate by the court.

Future Beholds:

Currently, the Consumer Data Protection Act (CPRA) is one of the most comprehensive consumer data privacy laws in the country. With several new state regulations set to enter into force in 2023, it’s important for publishers to be well-prepared for the changes to come. With new privacy laws in the works in Colorado and Connecticut, as well as Utah and Virginia, publishers must continue to adhere to best practices to comply with privacy laws. 

Since sharing and storing consumer data is likely to be at the top of the list in most new privacy policies, publishers may want to consider using consent or data management platforms (DMPs) to monitor their data processing operations. 

While the CPRA has improved upon its predecessor, the Consumer Data Privacy Act (CCPA), updating the privacy frameworks is a top priority for publishers to prevent violations, as per the CPRA. Publishers should also make sure their third party service providers (SPPs) and ad tech partners (ADPs) are CPRA-compliant and create contractual agreements in place to protect themselves in the event of a violation.