Home Privacy The Consumer Privacy Rights Act – CCPA 2.0 – Passes In California

The Consumer Privacy Rights Act – CCPA 2.0 – Passes In California

SHARE:
The Consumer Privacy Rights Act, on the ballot as Proposition 24, has been approved by voters in California, passing with 56.1% of the vote.

🚨🚨 Privacy news 🚨🚨

The Consumer Privacy Rights Act, on the ballot as Proposition 24, has been approved by voters in California, passing with 56.1% of the vote.

Californians for Consumer Privacy, the grassroots organization that helped put CPRA on this year’s ballot, is the same group that inspired the ballot initiative in 2018 that later became the California Consumer Privacy Act (CCPA).

CPRA becomes enforceable on July 1, 2023, with a lookback to January 2022.

New stuff

An easy way to think about CPRA is as CCPA 2.0.

It’s an amendment to the CCPA that both bolsters that law by making it more difficult for regulators to weaken privacy laws in the future, and institutes a handful of new privacy rights for California citizens.

For example, CPRA establishes a new category of “sensitive personal information” that covers everything from race and ethnicity to biometric data and precise geolocation, and it enhances children’s privacy by tripling fines for violations involving the information of kids under 16.

CPRA also adds new requirements for data minimization, places limits on data retention, calls for annual audits and risk assessments for “high-risk processing” and expands the “do not sell” remit within CCPA to “do not sell or share” – which has a direct impact on ad tech companies.

“Between CPRA, the efforts that have been made by major browsers and the recent iOS14 privacy updates to do away with third-party cookies, the ad tech industry will need to evolve,” said Heather Federman, VP of privacy and policy at privacy tech company BigID. “Otherwise, their business models are at risk of becoming obsolete.”

But one of the most significant developments enshrined within the CPRA is the creation of a California Privacy Protection Agency solely focused on defending consumer rights. Historically, that job fell to the California attorney general’s office. The new agency will have a $10 million annual budget and will function in a way not all that different from the data protection authorities in each EU member state, Federman said.

An agency exclusively dedicated to consumer privacy could “up the ante for enterprises who had previously buried their head in the sand,” she said.

So, what should companies be doing now?

For businesses that have been taking a “half-baked approach” to CCPA compliance, CPRA compliance will be tricky, Federman said.

But companies that have spent months getting ready for CCPA “should be heartened to know that they won’t need to tear down their privacy operations and start over,” said Cillian Kieran, CEO and founder of privacy compliance startup Ethyca.

“Rather, the CPRA is about adding nuance and sophistication to the basic privacy systems businesses have already started to put in place,” Kieran said.

The de facto standard

But with CPRA’s passage comes, again, the perennial question of what might happen with federal privacy legislation down the line.

It’s premature to say, but if a federal privacy law doesn’t include the preemption clause favored by Republicans, then California could become a blueprint for other state-based privacy laws and set a floor – rather than act as the ceiling – for privacy protections writ large.

By the same token, most businesses are likely to become compliant with CPRA across the country out of necessity, making it the de facto standard regardless of what happens at the federal level.

“I believe this does become the de facto standard,” said Jay Friedman, president of Goodway Group. “With CPRA looking more like GDPR than CCPA did, the standard is potentially being created without the federal government needing to add or change much.”

Tagged in:

Must Read

Why Media Mergers And Spin-Offs Don’t Always Keep Their Promises

With media megamergers, acquisitions and spin-offs left and right, the media landscape is changing at a pace that is difficult to keep up with.

TransUnion is partnering with Blockgraph so that advertisers can use its identity data to target, reach and measure TV households across channels.

How This Disaster Relief Nonprofit Tapped First-Party Data To Reach Donors Year-Round

Staying top of mind for potential donors is an ongoing challenge for Direct Relief. Nexxen’s audience curation helped it spread and sustain awareness.

Why Major UK Publishers Are Finally Joining Forces To Curate Ad Inventory

Atria’s collective approach is a response to growing monetization challenges and the need to protect the value of human journalism in the AI era.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Toronto Canada pride parade includes a crowd waving pride flags

Ad Performance And Politics Steered Brand Dollars Away From LGBTQ+ Communities – But The Pendulum Will Swing Back

The current administration has discouraged many marketers and organizations from showing support for the LGBTQ+ community, including during Pride month.

How AI Can Enhance Content Without Generating It

As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

How Tovala Banks On Subscriptions And Incrementality – But Not Ads – To Profit From Its Oven

Smart TVs, refrigerators and other home appliances may pester you with marketing, but at least the hardware is cheap. Another startup taking a different approach to the same theory is Tovala, which was founded in 2015 and combines a standalone countertop oven with a weekly meal kit subscription.