Opt out signals: A business is not required to post an opt out link if it allows consumers to communicate their Do Not Sell/Do Not Share preferences through signals or preferences that are set “with the consumer’s consent by a platform, technology or mechanism based on technical specifications set forth in regulations.”.These provisions resolve some of the uncertainty regarding how the CCPA applies to the online advertising industry but open questions remain, such as whether the advertising opt out must be delivered by publishers or ad technology companies. Cross-context behavioral advertising is explicitly excluded as a “business purpose” that can be performed by a service provider.
The CPRA defines the new term “cross-context behavioral advertising” as advertising targeting a consumer based on personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, except for consumer’s activity across the entity with which the consumer intentionally interacts. Significantly, a consumer may opt out of a business’s sharing of personal information for cross-context behavioral advertising purposes even where no money is exchanged between the business and the third party. Advertising opt out: While the CCPA grants consumers the right to opt out of the sale of their personal information, the CPRA takes this one step further by providing consumers with the right to opt out of the sharing of their personal information for cross-context behavioral advertising purposes.This modification will result in some smaller businesses no longer being subject to the CCPA. A covered business will include an entity that processes the personal information of 100,000 or more consumers or households per year (up from 50,000). Definition of a “business”: The CPRA amends one of three thresholds that must be satisfied as part of the CCPA’s definition of a “business” subject to the law.The CPRA adds numerous provisions that strengthen consumer privacy protections, but also includes some modifications that should be well-received by businesses. Following the enactment of the CCPA, Californians for Consumer Privacy drafted a new ballot measure, Proposition 24, to address perceived deficiencies in the privacy law and to further align California privacy protections with those available under the European Union’s General Data Protection Regulation (GDPR).
The CPRA was a ballot measure created by Californians for Consumer Privacy, which is the same nonprofit group led by businessman Alastair Mactaggart that proposed a similar ballot initiative in 2018 that ultimately led to the California state Legislature’s passage of the CCPA in 2019. Under the current CCPA, consumers have the right to know what personal information businesses collect about them, the right to delete that personal information, and the right to opt out of the sale of their personal information. The CPRA refines and expands the scope of the CCPA, California’s landmark privacy law.
This article summarizes a few notable aspects of the CPRA and highlights practical steps that businesses should take to ensure compliance. The CPRA becomes effective on January 1, 2023, with enforcement commencing on July 1, 2023. The CPRA expands provisions of the California Consumer Privacy Act (CCPA), creates new consumer privacy rights, establishes the California Privacy Protection Agency as California’s privacy regulator, and removes the ability of businesses to fix violations before being penalized for violations. A majority of California voters approved the California Privacy Rights Act of 2020 (CPRA) on November 3.
0 kommentar(er)
