The California Privacy Rights Act (CPRA): Are You Ready for CCPA 2.0?

Dionysia Kontotasiou
By
November 30, 2020 ·

In May 2020, the privacy advocacy group Californians for Consumer Privacy announced they had collected 900,000 signatures to add the California Privacy Rights Act (also known as CPRA, CCPA 2.0, Proposition 24 or Prop 24) to the November 2020 ballot.

On November 3rd, 56% of Californians voted in favor of the CPRA in the General Election. The act is meant to revise and succeed the California Consumer Privacy Act (CCPA), once it goes into effect on January 1, 2023.

On November 3rd, 56% of Californians voted in favor of the CPRA in the General Election

In short, the law expands user privacy rights to align with the GDPR, imposes additional duties on businesses, and establishes the first government authority dedicated to privacy implementation and enforcement in the US, the California Privacy Protection Agency (CPPA).

The CCPA has already had a significant impact outside California, becoming the standard for data privacy throughout the US. That is why this bill needs to be watched closely — it could impact businesses even if they’re not based in California. Below we have outlined the key points marketers need to know to start preparing for the new compliance requirements.

A New Privacy Enforcement Agency

When the General Data Protection Regulation (GDPR) came into effect, the EU appointed the Data Protection Authority to enforce the laws. The US doesn’t have a comparable authority to impose the new consumer privacy rights.

This is where the California Privacy Protection Agency (the CPPA) comes in. Its role is to clarify the new guidelines, apply fines, and hold hearings about privacy violations.

New Consumer Rights and PII Concepts

The CPRA introduces new concepts (that already exist in the EU thanks to the GDPR) to the data privacy landscape in California.

Here are some of them, explained:

  • Right to rectification – Granting consumers the right to correct inaccurate personal information.
  • Right to restriction – Granting consumers the right to limit the use and disclosure of sensitive personal information.
  • “Sensitive” personally identifiable information – Under the new law, certain types of information, such as Social Security Numbers, passport numbers, precise geographic location, biometric information, etc., will be marked as “sensitive”.

What’s Changed?

CCPA 2020

  • Right to Know
  • Right to Delete
  • Right to Opt-Out of Third-Party Sales
  • Right to Nondiscrimination

Implicitly includes sensitive PI in a broader regulated dataset, but does not impose separate requirements and prohibitions for sensitive PI (other than increased verification requirements).

CPRA 2023

  • Right to Know
  • Right to Delete
  • Right to Opt-Out of Third-Party Sales and Sharing
  • Right to Limit Use and Disclosure of Sensitive PI
  • Right to Correction
  • Right to Access Information About Automated Decision Making
  • Right to Opt-Out of Automated Decision Making Technology
  • Right to Restrict Sensitive PI
  • Audit Obligations
  • Right to Nondiscrimination

Imposes separate requirements and restrictions on sensitive PI:

  • Disclosure requirements
  • Opt-out requirements for use and disclosure
  • Opt-in consent standard for use and disclosure
  • Purpose limitation requirements

New Definition of Personal Information Sale

The CPRA will define what companies may do with the personal information they collect from California residents in a new way. Under the CCPA, a sale was defined as “exchanging data for some type of financial consideration”, a definition deemed too vague by many. The CPRA settles this issue by splitting sharing and selling people’s personal information into two different categories.

What’s Changed?

CCPA 2020

  • Has $25+ million in annual revenue;
  • buys or sells, OR receives or shares for business’s commercial purpose, PI of 50,000+ consumers, households or devices; or
  • derives at least 50% of annual revenue from selling consumer PI.

CPRA 2023

  • Has $25+ million in annual revenue;
  • buys, sells, or shares PI of 100,000+ consumers or households; or
  • derives at least 50% of annual revenue from selling or sharing consumer PI.

More Rights for Children Under 16

  • Increased administrative fines for unlawfully sharing children’s personal information: Any violations involving the personal information of children under 16 years old are subject to a $7,500 fine per violation. Under the current act, this penalty was reserved only for intentional violations. The $2,500 maximum fine for all other non-intentional acts involving persons 16+ years old remains the same.
  • Opt-in consent requirements for sharing personal information of children under 16: Under the CPRA, consumers can not only opt-out of selling their PI, but also opt-out of selling it to third parties specifically. Similarly, the CCRA addresses the need for businesses to collect affirmative opt-in consent to either share or sell the PI of children under 16. The CPRA also asks for new rulemaking to “establish technical specifications for an opt-out preference signal that allows the consumer, or the consumer’s parent or guardian, to specify that the consumer is less than 13 years of age or at least 13 years of age and less than 16 years of age.”

What’s New for Contractors? Contractual Obligations for Service Providers

The CPRA introduces the term “contractors” to describe those to whom a business makes available a consumer’s personal information for a business purpose pursuant to a written contract (similar to the CCPA’s “service providers”, where it referred to persons who process personal information “on behalf of” a business).

While the CCPA was ambiguous in its definitions of service providers and sub-service providers, the CPRA establishes the new rules very clearly. Any contractor or service provider is bound by written contract to be transparent about any collaborations with other subprocessors. Service providers may not add or hold any other consumer data, giving businesses the right to “take reasonable and appropriate steps” to ensure personal information is not obtained or used unethically.

What Marketers Need to Know About the CPRA

Come 2023, marketers need to pay closer attention to the data they collect and use to reach consumers, whether it’s first-party or third-party data, such as audience building and targeting information used by advertisers. Any data collection, whether direct or through other service providers or contractors, will require explicit consumer consent. Any subsequent use, sharing, or selling of personal information also needs to be disclosed.

Here’s what marketers need to do to get ready for the CPRA:

1. Prioritize Transparency in Your Company

The CPRA makes it clear that businesses need to be transparent about the data they collect. If you’re already paying attention to how you collect data, where you store it, how long your keep it, and how you manage it throughout the entire lifecycle, now’s the time to share all these measures with your users. In the same vein, under the CPRA, businesses will be limited in how they use consent structures to push users towards doing certain actions. If this is something your marketing department does, start analyzing how you collect consent to avoid any dark patterns and implicit consent.

2. Review Cookies and Update Policies

Similar to the GDPR, the CPRA limits certain data-sharing functions that include the use of cookies. Start inventorying cookies that exist on your website and update your policies to make sure they’re in line with the latest regulations. Make sure you update your verbiage to include all the new clauses of the CPRA — are you collecting any “sensitive” PI? How can users opt-out of automated decision-making technology? Make sure these considerations are clear to consumers.

3. Review All Contracts with Partners (Including Publishers)

As a CPRA-bound business, you must ensure your partners provide the same level of compliance to privacy laws as you do. Thoroughly review all your contracts (involve legal if necessary) to ensure all user data is obtained through explicit consent and managed ethically.

The CPRA limits data selling practices, especially when it comes to audience and behavioral targeting. Make sure you examine your partnerships with publishers and favor those that use first-party data pools and have obtained the data abiding by these privacy regulations.

4. Work with a Privacy Expert

Whether you hire someone or work with an external consultant or agency, you need a specialist to help you stay abreast of the latest regulations. CPRA probably isn’t the last data privacy law that will impact your business. In fact, the law is setting new standards that will likely be adopted nation-wide in the future.

Are You Ready?

Now that the bill passed, businesses need to become familiar with the new compliance requirements. The law goes into effect on January 1, 2023 and becomes enforceable on July 1, 2023, but it could already apply to the personal information collected by companies as early as January 1, 2022.

Such long notice to adjust to the new privacy regulations might sound excessive, but things can get complicated fast at larger organizations, especially if you work with a lot of partners. That’s why we recommend getting started right away.

Have any questions? Convert’s the most privacy compliant A/B testing tool on the market. Our experts know all the ins and outs of privacy regulations and what it takes to be fully compliant — send us your questions here.

Get a Taste of One of the Most Privacy Aware A/B Testing Tools Out There
Get a Taste of One of the Most Privacy Aware A/B Testing Tools Out There

Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Originally published November 30, 2020 - Updated November 10, 2022
Written By
Dionysia Kontotasiou
Dionysia Kontotasiou
Dionysia Kontotasiou
Convert's Head of Integration and Privacy, helping customers with technical queries.
Edited By
Carmen Apostu
Carmen Apostu
Carmen Apostu
Head of Content at Convert

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!