A Publisher’s Handbook : CCPA 2.0 (CPRA)

CPRA – California’s new & improved CCPA

The new and improved California Copyright Practices Act (CCPA), also known as the California Copyright Reform Act (CCRA-CA), is set to take effect on January 1, 2023. Here are some things you should know about the new CCPA.


The CCPA is a comprehensive data privacy law that was enacted in California and came into effect on January 1, 2020. It gives California residents greater control over their personal information that is collected and processed by businesses. Key provisions of the CCPA include:

  1. Consumer Rights: The CCPA grants consumers the right to know what personal information businesses collect about them, the right to request deletion of their data, and the right to opt out of the sale of their personal information.
  2. Notice and Disclosure: Businesses are required to provide clear and transparent notices to consumers about their data collection practices, including the types of information collected and the purposes for which it’s used.
  3. Opt-Out Rights: Businesses are required to offer an opt-out mechanism for the sale of personal information, allowing consumers to prevent their data from being sold to third parties.
  4. Non-Discrimination: The CCPA prohibits businesses from discriminating against consumers who exercise their rights under the law, including denying goods or services or charging different prices.


The CPRA, also known as Proposition 24, builds upon the CCPA and was passed as a ballot initiative in November 2020. It introduces more comprehensive privacy protections for California residents and establishes a new privacy enforcement agency, the California Privacy Protection Agency (CPPA). The CPRA’s provisions are set to be phased in over time, with full enforcement expected by 2023. Key features of the CPRA include:

  1. Sensitive Personal Information: The CPRA introduces the concept of “sensitive personal information” and provides enhanced rights for consumers regarding its processing, including the right to limit its use and disclosure.
  2. Expanded Opt-Out Rights: The CPRA expands the opt-out right to cover not only the sale of personal information but also the sharing of personal information for cross-context behavioral advertising.
  3. Data Retention Limits: Businesses are required to limit the retention of personal information to what is necessary for the purposes for which it was collected.
  4. Children’s Privacy: The CPRA establishes additional protections for the personal information of minors, including requiring opt-in consent for consumers under 16 and introducing a new category for consumers under 13.
  5. Enforcement and Fines: The CPRA empowers the CPPA to enforce both the CCPA and CPRA provisions and imposes stricter penalties for violations involving the personal information of minors.

Timeline of CCPA & CPRA :

CPRA : New for Publishers 

Here are some potential aspects that could be relevant to publishers:

  1. Sensitive Personal Information Category: The CPRA introduces a new category called “sensitive personal information,” which includes data such as Social Security numbers, financial account information, precise geolocation data, racial or ethnic origin, genetic data, and more. Publishers need to handle sensitive personal information with additional care and may need to obtain explicit consent from consumers to process this type of data.
  2. Expanded Opt-Out Rights for Cross-Context Behavioral Advertising: Publishers engaging in cross-context behavioral advertising (targeted advertising based on user behavior across different websites and platforms) are subject to expanded opt-out requirements. The CPRA extends the opt-out right to cover the sharing of personal information for such advertising purposes.
  3. Data Retention Limits and Purpose Limitation: The CPRA emphasizes data minimization and purpose limitation by requiring businesses, including publishers, to limit the retention of personal information to what is necessary for the purposes for which it was collected. This could impact how long publishers retain user data and the justifications for doing so.
  4. Children’s Privacy and Consent: The CPRA enhances privacy protections for minors. For users under the age of 16, publishers may need to obtain opt-in consent for the collection and sale of their personal information. For users under the age of 13, opt-in consent is required from a parent or guardian.
  5. Enforcement and Fines: The CPRA establishes the California Privacy Protection Agency (CPPA) as the enforcement authority for both the CCPA and CPRA. This agency has the authority to enforce penalties for violations. Fines for non-compliance, especially in cases involving the personal information of minors, can be significant.
  6. Right to Correct Inaccurate Personal Information: The CPRA introduces a new right for consumers to correct inaccurate personal information held by businesses. Publishers need to have processes in place to handle such correction requests.
  7. Joint Liability for Data Sharing: If publishers share data with third parties, the CPRA introduces the concept of joint liability. This means that if a third party misuses the data, both the third party and the business that shared the data can be held accountable.
  8. Impact on Service Providers and Contractors: The CPRA clarifies and refines the definitions and relationships between businesses, service providers, and contractors. Publishers need to understand these relationships to ensure proper compliance.
  9. Updated Privacy Policy Requirements: The CPRA introduces new requirements for privacy policies, including the need to disclose retention periods for different categories of personal information.
  10. Data Protection Impact Assessments (DPIAs): The CPRA gives the CPPA the authority to require businesses, including publishers, to conduct and submit DPIAs for certain high-risk data processing activities.

Modifications to CCPA by CPRA:

  1. Opt-out of Cross Context Behavioral Advertising :  The Consumer Data Protection Act (CCPA) contains a provision that permits consumers to prohibit publishers from selling data to third parties. However, given the ambiguity of the term ‘sell’, many publishers engaged in cross-promotion behavioral advertising were excluded from this provision. Due to the fact that behavioral advertising does not necessitate the ‘sale’ of customer data, it has left many consumers and digital advertisers perplexed. However, the Consumer Product Rights Authority (CPRA) has clarified this ambiguity by incorporating the concept of the “sharing” of consumer data into its scope of application. Under the CPRA, the consumer has the right to “opt-out” from the context of behavioral advertising. This will prevent businesses from using their personal data to sell or share for advertising purposes. In addition, according to the CPRA, the definition of Cross-Cultural Behavioral Advertising is as follows: “Cross-cultural behavioral advertising” refers to targeted advertising that uses a consumer’s personal information collected from their online activity across distinct brands of websites, brands of businesses, brands of applications, brands of services, and brands of products other than the targeted business, brand of application, brand of website, or brand of service that the consumer deliberately interacts with.”
  2. Contractual Requirements :  Under the CPRA, businesses must enter into appropriate contracts with their SPSPs and contractors to restrict the storage, use, or disclosure of personal data for any purpose other than the scope of the contract. These contracts will allow businesses to control the consumer data that they share with other parties by monitoring compliance with the terms of their contract. Businesses may conduct a review, automated assessment, and audit at least once per year to make sure the consumer data is not sold or made available by their SPSPs outside of the scope of the agreement. 
  3. Security Audit :  Under the CCPA, publishers are required to take reasonable steps to protect the privacy of consumer data. However, under the CPRA, the requirements are even stricter. Under the new rules in the CPRA, those who collect personally identifiable information (PII) about consumers are required to conduct an annual cyber security audit and provide the CPPA with a risk analysis report. The risk assessment should consider the potential risks and benefits associated with the processing of consumer data. If the benefits outweigh the risks, then the CPPA can restrict or prohibit the processing of such data under the CCPA or the CPRA. 

Penalties for Violations:

If a publisher is non-compliant and is found to be in violation of the CPRA, civil penalties are $2500 to $500 per violation and $750 to $1,000 per violation if the court finds that the violation was intentional. The new CPRA also has a new $7500 penalty for violations (unintentional) of consumer privacy of minors. The law also makes it clear that providers of third-party services will be held accountable for any violations. Since publishers are responsible for protecting consumer data they collect, any violations of the law by third-party providers can also result in penalties for the publisher if they do not have a contractual agreement to protect consumer data. In addition, the CPRA has removed the provision in CCPA that allows a publisher or a business to avoid penalties if it can address and correct the violations within 30 days after being notified. 

Right of Private Action:

The CCPA gives consumers the right to take private action against a business for a breach of consumer’s personal information or sensitive personal information. This means consumers can sue companies for a breach of their personal information. 

However, the CPRA has changed the scope of this right to allow consumers to take private action only in the case of a breach of unencrypted and unredacted data. The CPRA also includes breaches involving ‘email addresses in combination with passwords or security questions and answers that may grant access to an account’, subject to a consumer’s right to a private action. 

In the event of a breach, consumers can seek damages from the court for damages ranging from $100 to $750 per consumer for each incident, or actual damages up to $1 million, whichever is greater, as well as injunctive and declaratory relief, or any other relief deemed appropriate by the court.

Future Beholds:

Currently, the Consumer Data Protection Act (CPRA) is one of the most comprehensive consumer data privacy laws in the country. With several new state regulations set to enter into force in 2023, it’s important for publishers to be well-prepared for the changes to come. With new privacy laws in the works in Colorado and Connecticut, as well as Utah and Virginia, publishers must continue to adhere to best practices to comply with privacy laws. 

Since sharing and storing consumer data is likely to be at the top of the list in most new privacy policies, publishers may want to consider using consent or data management platforms (DMPs) to monitor their data processing operations. 

While the CPRA has improved upon its predecessor, the Consumer Data Privacy Act (CCPA), updating the privacy frameworks is a top priority for publishers to prevent violations, as per the CPRA. Publishers should also make sure their third party service providers (SPPs) and ad tech partners (ADPs) are CPRA-compliant and create contractual agreements in place to protect themselves in the event of a violation.

27 thoughts on “A Publisher’s Handbook : CCPA 2.0 (CPRA)”

  1. magnificent post, very informative. I wonder why the other specialists of this sector don’t notice this. You should continue your writing. I am confident, you’ve a great readers’ base already!

  2. You actually make it appear really easy with your presentation however I find this matter to be really one thing that I believe I might by no means understand. It seems too complex and extremely large for me. I’m looking forward to your subsequent submit, I’ll attempt to get the dangle of it!

  3. Heya i am for the first time here. I found this board and I find It really useful & it helped me out a lot. I hope to give something back and help others like you helped me.

  4. Definitely believe that which you said. Your favorite reason appeared to be on the web the simplest thing to be aware of. I say to you, I certainly get irked while people think about worries that they plainly don’t know about. You managed to hit the nail upon the top and defined out the whole thing without having side effect , people could take a signal. Will probably be back to get more. Thanks

  5. Hello, Neat post. There’s an issue along with your website in internet explorer, would test this?K IE still is the market chief and a good portion of other people will omit your fantastic writing due to this problem.

  6. I loved as much as you’ll receive carried out right here. The sketch is tasteful, your authored subject matter stylish. nonetheless, you command get got an nervousness over that you wish be delivering the following. unwell unquestionably come further formerly again as exactly the same nearly very often inside case you shield this hike.

  7. Hey there! This is my first visit to your blog! We are a team of volunteers and starting a new project in a community in the same niche. Your blog provided us beneficial information to work on. You have done a outstanding job!

  8. I haven’t checked in here for some time since I thought it was getting boring, but the last few posts are great quality so I guess I’ll add you back to my daily bloglist. You deserve it my friend 🙂

  9. You could definitely see your enthusiasm within the work you write. The world hopes for more passionate writers like you who aren’t afraid to mention how they believe. Always follow your heart.

Leave a Comment

Your email address will not be published. Required fields are marked *