The California Consumer Privacy Act of 2018 (CCPA) has been enforceable for less than a week and California is already gearing up to pass a second and more stringent privacy law by year’s end. The California Privacy Rights Act (CPRA) is set to hit the November 3, 2020 ballot and if California voters approve the initiative, the CPRA would significantly expand the rights of Californians under the CCPA. Although the CPRA wouldn’t go into effect until January 1, 2023, the provisions (with limited exceptions) would begin to apply to data collected starting on January 1, 2022. If passed, the CPRA would also create a new government agency called the California Privacy Protection Agency, who would be solely dedicated to the enforcement of California privacy law. The creation of a privacy-dedicated resource with rulemaking and audit authority (in addition to enforcement and penalties) will undoubtedly subject covered businesses to additional scrutiny and potentially penalties.
“Sale” and opt-out requirements now applied directly to the AdTech industry
The proposed text of the CPRA may prove to be particularly burdensome for covered businesses engaging in online marketing and advertising and their AdTech vendors. Although the CCPA’s existing definition of a “sale” likely already covered many data sharing activities that are common practice in AdTech industry (e.g., personal information being passed along in the programmatic supply chain or an advertiser’s use of publisher-collected personal information to target across other websites ) many AdTech vendors held out hope that it would not be interpreted that broadly. The CPRA clears up any lingering confusion, by adding a definition of data “sharing” with an opt-out requirement that mirrors the CCPA’s “sale” provision. The CPRA’s newly defined term specifically includes the provision or transfer of data to a third party for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration”. If passed, impacted business will now have to offer consumers the right to opt-out from any third-party AdTech cookie collection occurring on their digital properties.
In addition, the ability to opt-out of data sharing, the CPRA also introduces the right to correct or rectify personal information. Since personal information is already defined broadly to include the inferences a company draws about an individual, this right may now give consumers (and subsequently advertisers) the opportunity to make their targeted advertising more relevant. Since targeted media frequently involves segmenting individuals based upon information like shopping or purchase history, there is still some level of guesswork involved to determine what ads would be relevant. Under the CPRA, consumers could potentially obtain information through their existing access right on any inferences drawn about them by a business and would then have the opportunity to correct them. These consumer requests may benefit advertisers by making their data smarter, assuming consumers don’t also exercise their right to opt-out of this type of data sharing as well.
Increased obligations and accountability for AdTech “service providers” and “third parties”
The CPRA also imposes additional restrictions on those AdTech vendors processing personal data on behalf of publishers to serve targeted ads, even where they fall within the service provider construct created by the CCPA. The CPRA clarifies that service providers performing these types of activities may not add any personal data collected to their own database of consumer profiles, subject to limited exceptions. The CPRA also gives the businesses who engage service providers the right to “take reasonable and appropriate steps” to ensure that personal information is not used for these unauthorized purposes. As a result, AdTech vendors may start to see stronger contractual provisions involving audit rights, as well as and increased supplier due diligence.
Similarly to how the General Data Protection Regulation (GDPR) made data processors accountable for their own compliance obligations, the CPRA would make service providers directly liable for compliance with certain provisions and require them to assist in the execution of existing data subject rights like deletion as well as a newly introduced right of correction or rectification. As many GDPR covered businesses or “data controllers” saw with the implementation of direct data processor liability, vendor’s may look to offset some of the costs and additional risk associated with this direct liability by raising their fees and rates.
In addition to increased regulation of the business to service provider relationship, the CPRA now requires written agreements between businesses and third parties. For example, where a covered business discloses or “sells” personal data to a third party in compliance with their sale and opt-out obligations, they must now enter into a written agreement. Adding an additional obligation to contract with these third parties significantly increases the scope and flow-down of CPRA-related obligations on business transactions.
Enhanced consumer rights around “sensitive” personal data
The CPRA would create a new sub-set of personal information: sensitive personal information. Sensitive information is broadly defined, and includes an individual’s race, religion, ethnicity, GPS or precise location information, certain biometric, genetic, health, and financial information, information from private messages (e.g., email and SMS), and any information relating to an individual’s sexual orientation or sex life. Although honoring these new consumer rights this may prove administratively burdensome and difficult to operationalize, it’s possible that by allowing individuals to restrict the use of only their “sensitive” personal data, businesses may not lose out on the non-sensitive data typically used for targeting advertising and marketing, where they previously would have been left with nothing. If this provision passes without modification, organizations will be forced to take hard look at the specific pieces of personal data they process to determine whether they would be considered “sensitive” as well as how they process and share that information.
Michael Best will continue to monitor and provide updates on the progress of the CPRA. For additional information on the CPRA as well as assistance complying with existing privacy law, please contact a member of our Privacy & Cybersecurity team.