CPRA: What All Advertisers Must Do to Comply
The California Privacy Rights Act (also called CPRA or Proposition 24) amended and added new privacy protections to the California Consumer Privacy Act (CCPA) that advertisers must comply with.
When do advertisers have to be in compliance?
Now. Enforcement of the law is underway and there is no longer a 30-day right-to-cure period. On February 9, 2024, the California Appeals Court issued a 3-0 opinion, making the CPRA regulations finalized in March 2023 immediately enforceable; on February 21, the CA AG announced its second enforcement settlement, this time with DoorDash.
If you're not in compliance yet, you'll need to get a solution in place as soon as possible.
What's the difference between CPRA and CCPA?
CPRA amended the California Consumer Privacy Act (CCPA), created the California Privacy Protection Agency ("the Agency"), transferred power to issue regulations from the AG to the Agency and increased enforcement capacity by granting shared enforcement authority to the Agency along with the CA AG's continued enforcement power.
It is important to note the CPRA expanded the scope of the law to cover "sharing" as well as "selling" personal information to include advertising data flows.
What are the CPRA Regulations?
CPRA regulations (sometimes called the "CPPA regulations" since the Agency issued them) set out the specifics of how to comply with the CCPA.
What new privacy rights do consumers have?
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
What do advertisers have to do to comply?
Advertisers now must respond to consumer requests about those new additional rights and ensure that consumers are given an updated Privacy Policy or Notice about their privacy practices. The law and regulations lay out specific elements that must be included in any Privacy Policy or Notice.
Now, in addition to having contracts containing certain terms with companies you share data with, companies also have an obligation to conduct due diligence on those business partners and their compliance with the limitations on use of data terms required by the amended CCPA. The legislation applies to service providers, contractors and third-party vendors including data brokers, and advertisers must ensure all third-party vendors they share data with are compliant, too. You cannot properly assess or mitigate your risk without conducting due diligence on any vendor to whom you disclose personal information.
A privacy policy alone is not enough, and a data clean room may still leave you at risk if your vendors are not compliant.
If you're not in compliance, what should you do now?
- Avoid "we can do this in Excel" approaches. It will require time for you to do the legal research on all the obligations under the multiple privacy laws in effect, consult with specialists, and produce your own gap analysis. Every day that you're not in compliance adds to your risk.
- Look for solutions that standardize diligence for interoperability. An effective solution should have three components: a) it should ask the right business and technical questions for each digital advertising use case and vendor type; b) it should use comprehensive assessments built on state laws and regulations; and c) it should have an automated vendor compliance hub, so that companies can complete the relevant diligence questions and state law assessments once and share them multiple times securely on the platform as they engage with vendors.
- Look for a complete solution built to address every key aspect of U.S. privacy laws and the GDPR and with updates to address new privacy legislation as it emerges.
- Ideally, the solution should produce comprehensive, independent assessments and provide a gap analysis. It should also have built-in workflow management and allow for collaboration, as well as vendor management (TPRM) tools.
- Make sure that the solution can work with other privacy tools and services you may already have in place, including Data Mapping, Consent Management, Privacy Rights Management (DSARs), Data Redaction, Incident Management, Certification Auditing, and Legal Consulting and Services.
- The IAB's Diligence Platform, powered by SafeGuard Privacy, contains CCPA/CPRA law and regulations assessments which address the California requirements as well as IAB's industry specific compliance questions. This enables you to swiftly conduct your own gap analysis, provide a collaborative workflow to address any gaps, and ask your vendors to do the same process to demonstrate their compliance, helping you meet due diligence requirements.
What if there's not a line item for this in my budget?
- There probably won't be. But we recommend you don't take no for an answer. Compliance with CPRA isn't optional. If you have an in-house legal department, send them this link to the law and see if they have a budget, or ask them to help make the case to management. You can always make the case to management yourself.
The views and opinions expressed are solely those of the contributor and do not necessarily reflect the official position of the ANA or imply endorsement from the ANA.
Richy Glassberg is co-founder and CEO at SafeGuard Privacy.