The California Attorney General has recently introduced the California Privacy Rights Act (CPRA) against the backdrop of publishers still reeling from the effects of CCPA. The ballot initiative is set to take place in November 2020.
Let’s put things into perspective with some context.
The California Consumer Privacy Act (CCPA) was passed in June 2018 and the law went into effect in January 2020.
CCPA was brought into action for providing website users control over sharing and distribution of their personal information.
Because user data is heavily used for targeted advertising, the enforcement of CCPA has made life difficult for all parties included.
CPRA is basically meant to amend the existing CCPA. If the law is passed, companies will have to deal with new security and privacy laws. The new requirements are set to be in effect from 1st January 2023, as of now.
The act is applicable to residents of California only, but will affect all businesses that are dealing with consumers residing in California.
A number of changes have been made to the existing CCPA through CPRA, with most of them dealing with clarifications. To give publishers an idea what they will have to deal with in case CPRA is passed, we have compiled a list of some important changes.
Revised Definition of ‘Sharing’ in CPRA
Under the new law, the disclosure of user information to a third-party for cross-context behavioral advertising is referred to as ‘sharing’. With CCPA, companies that generated revenue by selling personal information were affected the most. However, CPRA will also include those parties who generate 50% of their revenue, annually, from sharing personal user information.
CPRA’s Definition of Sensitive Personal Information
The introduction of this category allows users to limit the sharing of sensitive personal information, including financial account information, government identifications, ethnicity, race, religious beliefs, and precise geolocation.
Users will get more control over what kind of information is being shared online. Collection of data will be done only for the service that is being directly provided.
Also important to note is that users will get opt-in and opt-out options for the disclosure of any kind of sensitive personal information.
In case, a company needs to use some data for a different purpose, the user will need to consent again. This concept will affect all publishers who generate revenue by sharing sensitive user information.
Introduction of New Privacy Rights
Users are now provided with the option of correcting any inaccurate personal information that is stored with any party. Other than providing the right to request corrections, businesses are further obligated to implement the requested corrections.
CPRA also provides consumers with the right to opt-out of automated decision making technology and the right to access information regarding automated decision making. In case, a publisher is making use of automated decision making technology, they will have to provide the consumer with information regarding the logic that is being used. The users further have to be informed regarding the outcome produced by the automated decision making technology.
Expanded Rights in CPRA
If a user has requested for deletion of personal information, the business is needed to notify third-parties. Furthermore, CPRA will provide consumers with the right to opt-out right now, which prohibits the sharing of personal information for cross-context behavioral advertising.
CPRA has also strengthened rights related to data collection for minors. In case a minor (under the age of 16, has declined to share personal information, businesses will need to wait for 12 months before asking for consent again. Moreover, the concerned party can be required to pay a fine of $7500, in case of mishandling the data of a minor.
Risk Assessments and Security Audits
Under CPRA, companies dealing with personal information will need to perform yearly cyber security audits, in addition to a risk assessment. This rule majorly applies to businesses whose data processing poses risk to the security and privacy of consumers. Through the assessment, the CPPA will weigh benefits and risks that are originating from the processing of data processing. The processing of consumer data will be prohibited, or at best restricted, in case risks are outweighing benefits.
What Publishers Can Do about CPRA
Even though the law is not yet passed, it is better for publishers to stay ahead of the curve.
- Keeping up with CCPA: At the present time, the best publishers can do is to comply with CCPA regulations, since it is the law that is currently in effect. This will also make sure that publishers are well prepared for CRPA compliance.
- Data Practices: Keep up with data processing practices and privacy practices that are currently in effect. Publishers need to consistently conduct projects such as gap assessment and data mapping. CRPA is just another reason to effectively measure a business’s progress after CCPA and EU’s General Data Protection Regulation. Such projects may take longer than intended, which is why publishers can and should ideally start early.
- Practicing transparency and data minimization: It is clear that with time, laws will likely get more stringent. More and more attention is being paid to data privacy for users at the present time, since risk factors have surged substantially. In such a scenario, it is a good option for publishers to implement strategies including data minimization for mitigating security risks. The more the transparent operations are, the better it is for publishers in the long run to conduct operations.
With data breaches becoming a serious issue, more and more privacy measures are likely to be implemented in the future. CRPA is just another such measure.
When the law is passed, publishers will need to pay strict attention to the kind of data that is being collected and shared with all the parties involved.
Right now, publishers should try and understand all the additions that have been made to CCPA. It will be further helpful to edit privacy policies according to the parameters that have been introduced or expanded in the CPRA law.