Superseding the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) becomes operative January 1, 2023. Among the biggest changes is the expansion of consumer rights to include businesses that share personal information.
“Share” is an important distinction. With the CCPA, only companies that sold customer data were on the hook to provide certain disclosures and rights to consumers.
With the implementation of the CPRA, certain businesses that buy, sell, or share personal information must comply with the law, provided they meet certain requirements. Namely:
- The business had annual gross revenue in excess of $25M in the preceding calendar year;
- Alone or in combination, buys, sells, or shares the personal information of 100,000 or more California consumers or households annually; or
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
The CPRA also adds two additional categories to the definition of a “business.” The first includes joint ventures or business partnerships in which each business has at least a 40% interest, while the second includes individuals that would otherwise not be considered a business, but voluntarily agree to follow and be bound by the CPRA.
CCPA’s sell definition created confusion
Before the adoption of the CPRA, companies that didn’t sell customer data were not bound by the law. However, the CCPA broadly defined the term “sell” to include any arrangement involving an exchange of value “between the business and a third party or another company for consumers’ personal information. ”
Within the context of the CCPA, a “sale” was defined as:
selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer's personal information for monetary or other valuable consideration.
The broad scope created a gap that didn’t cover companies transferring personal data between two entities without selling it in the classic sense of the word.
Nevertheless, the CCPA definition was written this way to limit bad actors from circumventing the right to opt-out. Further, many individuals don't understand that marketing intelligence and social media platforms are constantly sharing consumer browsing habits and analytics with businesses.
The CCPA imposed strict requirements on the "sale" of personal information (e.g., "Do Not Sell My Personal Information" button on homepages). The CPRA takes it a step further by including the sharing of personal data.
How does CPRA define sharing?
The CPRA defines “sharing” as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business.” This definition is comparable to the CCPA’s original definition for the term “selling.”
However, the CPRA goes a step further. It covers sharing data with “a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” (Emphasis is our own).
Thus, the CPRA not only broadens its definition to include data sharing, it also explicitly calls out sharing data for the purposes of targeted advertising. Under the CCPA, many businesses continued to share data for targeted advertising since it appeared to fall outside of the definition of “selling” data.
Under the CCPA, many websites asked consumers for opt-in consent to the use of behavioral advertising cookies through cookie banners. The CCPA does not consider it to be “selling” data when “a consumer uses or directs the business to intentionally disclose personal information … with a third party.” As a result, businesses were able to track their users’ behavior and transfer that data to behavioral advertising networks after obtaining opt-in consent.
But since it wasn’t fully clear whether sharing data with advertising networks was covered by the CCPA or not, many other businesses simply used behavioral advertising cookies without asking for consent.
As a result, some businesses were tracking user data in violation of the spirit, if not the letter of the law, while others were asking for opt-in consent when it may not have been necessary.
The CPRA removes ambiguity from the definition by mandating that consumers have a right to be informed and opt out of the sale or sharing of their personal information. That includes sharing data with advertising networks and clarifies that businesses need to provide opt-out consent (i.e., by providing a link that prohibits the sale and share of consumers’ personal information).
Do not sell or share: The right to opt-out
Under the CCPA, consumers had the right to opt-out of the sale of their data. In fact, the CCPA’s first enforcement action was based on a violation of this right. Popular makeup brand Sephora was made to pay a $1.2 million settlement when it failed to inform consumers about the sale of their data and to follow through when consumers withdrew their consent using a global opt-out mechanism.
This enforcement action was based solely on CCPA’s prohibition against selling consumer data when they opt out. Now, consumers also have the right to opt-out of the sharing of their data and businesses must provide notice to consumers of this right.
Additionally, businesses are expressly prohibited from selling or sharing information of personal information of consumers less than 16 years old unless the consumer (or parent or guardian for those ages 13-16) has authorized the sale or sharing of information.
Further, they must provide a link on the home page of their website titled “Do Not Sell or Share My Personal Information” and a link titled “Limit the Use of My Sensitive Personal Information.” These links need to allow the consumer to opt-out of the sharing or sale of their data and to limit the use of sensitive data to only what is necessary for the website to function, respectively.
CPRA penalties are steeper than their predecessor
The rate at which consumer privacy laws are developing and being updated is unprecedented. Staying compliant is critical, as repercussions are steep.
Per the CPRA, violations in selling or sharing personal information could cost businesses up to $7,500 per incident. The new mandates also have a $2,500 maximum penalty for accidental privacy violations for Californians over the age of 16. Additionally, the CCPA provided a remedy period, which the CPRA eliminates.
Stay compliant with the CPRA sharing mandate
If you haven’t given any thought to how you’ll handle the new mandates, or if you thought you had time to prepare, now is the time. Being proactive will save you from having to play catch-up when the changes in the law become operational.
To support you in that journey, we’ve put together a short guide laying out the major requirements of the CPRA and how we can help you become compliant. You can access a free copy of “CPRA compliance: How Osano can help” here.