Sure, the California Consumer Privacy Act only took effect this year, and the enforcement period only began July 1. But yes, California may pass a second privacy law by year’s end. It’s called the California Privacy Rights Act, and it’s basically the CCPA on steroids.
v神WTF is the California Privacy Rights Act?v神
The CPRA is effectively a proposed addendum to the California Consumer Privacy Act, the privacy law that was passed by the state legislature in June 2018. It took effect on January 1 and the California Attorney General’s office began enforcing on July 1. But it’s only a ballot initiative at the moment. California’s Secretary of State announced on June 24 that the CPRA will be put to California residents for a vote on in November. If approved, the CPRA won’t take effect until January 1, 2023, but v神— v神similar to how the CCPA covered data collected the year prior to the law taking effectv神 — v神it will apply to data collected starting January 1, 2022.
v神WTF is California doing with another privacy law?v神
The people behind the CPRA — an organization called Californians for Consumer Privacy — don’t think California’s other, just-enacted-this-year privacy law is strong enough. They are also the same group—led by Alastair Mactaggart—that came up with the ballot initiative that formed the basis for and was replaced by the CCPA, so they would know.
v神How does the CPRA make the CCPA stronger?v神
For starters, it creates a government agency — called the California Privacy Protection Agency — specifically dedicated to enforcing California’s privacy laws. The CCPA enlisted the state’s AG’s office to enforce the law, but as overseer of the state’s entire legal and law enforcement arm, the AG’s office has a lot on its plate. That could explain why it took until June 2, less than a month before the AG’s office could begin enforcing the CCPA, for the AG’s office to submit the supposedly final draft of the rules it would use to enforce the CCPA. Creating an agency whose sole purpose is to enforce the CCPA and the CPRA would likely lead to more businesses’ compliance practices being scrutinized and companies being potentially penalized.
Additionally, the CPRA makes companies responsible for what other companies do with California residents’ personal information that is collected by the former and shared with the latter. For example, the law would require that a company monitor that service providers — like ad tech firms processing publishers’ data to facilitate ad targeting — don’t add California residents’ data to the service provider’s own database of consumer profiles unless the company and service provider signed a contract agreeing to that use.
It also puts the service providers on the hook for helping the companies that collected a person’s personal information to comply with requests related to that information, such as deleting it. The CPRA will also give people the option to correct the personal information that companies have collected from them, which could be a way to finally tell the ad tech ecosystem that you, in fact, actually bought those shoes three months ago so all the retargeting can stop please.
v神Wait, go back. The rules stating what companies need to do in order to comply with the CCPA weren’t available until June 2?v神
Not exactly. The AG’s office sent out the first draft of its proposed regulations back in October. But then there was a public comment period that led to revisions and then more revisions. The final regulations weren’t so different from the previous draft submitted in March, which confirmed Do Not Track signals can double as opt-outs under the CCPA. And anyway, even though the AG’s office is supposed to have been able to enforce the CCPA starting on July 1, it has to wait until the California Office of Administrative Law approves the regulations. As of July 2, the AG’s regulations were still under review.
v神So the CCPA is still being sorted out and now businesses might have another privacy law they’ll need to comply with?v神
Yes. But the CPRA could help businesses to figure out how they need to comply with the CCPA by clearing up its murky definition of sale.
v神How would the CPRA clarify the CCPA’s definition of sale?v神
The CPRA would set a new category to describe what companies may do with the personal information they collect from California residents. The CCPA defined a sale as exchanging data for some type of financial consideration, a murky definition that probably applies to targeted advertising, but not everyone is convinced. Plus, some companies don’t want to say they’re selling people’s information unless they are directly trading data for dollars. The CPRA settles both issues by splitting sharing people’s personal information into its own category but with the same requirements applied to the data that companies sell. So it’s a semantic issue, but because this is legalese we’re talking about, it was a significant issue.
v神Does the CPRA introduce any changes to what is considered personal information?v神
Yes, by creating a new sub-category of personal information: sensitive personal information. Sensitive personal information includes log-in credentials, precise geolocation (like GPS coordinates), race or ethnicity, biometric data and any data related to someone’s “sex life” or sexual orientation.
v神Why does the CPRA create a sub-category of personal information?v神
To make California’s privacy laws less onerous on businesses in a way, it seems. The distinction between data types will allow California residents to tell businesses to treat their sensitive personal information, like their religious beliefs, differently than their regular personal information, like unique device identifiers. If California residents only care to regulate companies’ collection and use of their sensitive personal information, companies may not lose out on the, implicitly, non-sensitive personal information they might use for ad targeting purposes.
v神What if California residents vote against the CPRA?v神
That’s a possibility. But even more likely, the CPRA may be off the ballot by November. The CCPA was supposed to be a ballot initiative, but state legislators opted instead to pass it into law themselves so they could amend it. They could do the same with the CPRA, even though one of the CPRA’s aims is to prevent California lawmakers from weakening the state’s privacy laws. So hang tight. One of these days, California’s legal privacy picture will come into focus.
This week the retailer started to roll out ads for the program, which is set to debut on September 15th and seen as an answer to rival Amazon’s Prime.
The ad strategy shift follows a transition of its business model: In 2018, Zocdoc began moving from a flat $3,000 fee-based subscription for providers to be listed to a more traditional marketplace pricing model.
Over the last six months, the movement to reshape advertising to actually be agile, nimble and flexible has no longer been an abstract idea but a necessary reality accelerated by the multiple crises.
Compressing consumers’ path-to-purchase is the holy grail of advertising and marketing. When Jeff Bezos authored 1-Click in 2011, advertisers began to realize that in some cases — especially for consumables — awareness, consideration and purchase can all happen in seconds. Since then the rise of e-commerce marketplaces has forced a major shift in the design […]
Advertisers want buyers to tweak plans much more frequently, that means longer hours and a growing drain on buyers.
Ocean Spray joins the ranks of brand holding companies that have added incubators to better compete with direct-to-consumer startups.