California already had the strictest consumer data privacy laws in the country. Now, Proposition 24 builds on the foundation of the California Consumer Privacy Act (CCPA). The original law provided consumers more control over how their personal data is collected, accessed, and sold. The new law clears up murkiness that gathered around “sensitive” areas including race, health, religion, biometric information, and precise location.
Interestingly, Prop 24 still requires Californians to “opt-out” of data collection by reviewing all apps and websites they use to personalize data preferences individually rather than managing consent universally. The new law does add regulatory teeth missing from the CCPA by establishing a new state fund for enforcement.
Here’s what publishers need to know:
“Do Not Sell My Data” Expands to “Do Not Share My Data”
A big criticism of the CCPA was its definition of a “sale” of personal information and whether or not that could be applied to digital advertising, where companies generally say they “share” data along the supply chain. CPRA clears the waters by more explicitly establishing the right to opt-out of the “sharing” of their data. As a result, publishers need to “prominently and conspicuously” a “Do Not Sell or Share My Personal Information” link on their homepages.
Service Providers vs Contractors
The CCPA previously provided a “service provider” classification to process PII collected by another company without being considered a sale of data. The new law explicitly recognizes “cross-context behavioral advertising,” where being a downstream service provider is no longer an exemption.
Sensitive personal information
The CPRA more clearly describes what is defined as “sensitive personal information” including social security numbers, credit card numbers, sexual orientation in addition to “a consumer’s precise geolocation.”
Stricter Enforcement
CPRA creates an agency called the California Privacy Protection Agency dedicated to enforcing the new privacy law. The agency has the power to fine businesses $2,500 for each violation of the CPRA or $7,500 for what it deems are “intentional violations” or those that involve minors.
A Foundation to Federal Law
Experts see CPRA as a blueprint to other states’ privacy laws or future federal privacy law.
Opt-in vs Opt-Out
A major difference between California and the EU is CPRA is an opt-out, GDPR is opt-in consent. Privacy experts predict the new law will eventually evolve as 95% of European consumers are willing to provide their consent.
Read more in Digiday