The California Public Records Act (CPRA) has rules about cross-context behavioral advertising that you must follow to avoid trouble with the California Privacy Protection Agency (CPPA). This article will review the requirements for everyone involved in the data processing.
The California Public Records Act (CPRA) has rules about cross-context behavioral advertising that you must follow to avoid trouble with the California Privacy Protection Agency (CPPA).
However, the law could be clearer regarding online advertising. While business requirements are clear and concise, service providers who help businesses advertise online could be clearer.
You are either a business or a service provider in the CPRA sense or maybe both. This article will review the requirements for everyone involved in the data processing.
Explore more privacy compliance insights and best practices
The CPRA defines cross-context behavioral advertising as “the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
Let’s disassemble the definition to understand it better:
That includes advertising through platforms like Google, Meta, Twitter, Pinterest, and other digital advertising platforms. When their online identifiers are installed on a website, they collect consumers’ personal information related to browsing such websites. When a business pays them, it will serve targeted ads to the same consumer.
When it comes to processing personal data for the purposes of targeted advertising, you have to comply with the general CPRA requirements for data collection and processing.
That includes:
The CPRA requirements for service providers in terms of online advertising are more complex than those for businesses. That is where it causes problems for the ad tech industry.
In Section 1798.140, CPRA defines online advertising exactly as it works in practice. So, where’s the problem?
Well, cross-context behavioral advertising is exempt from the definition of business purposes. According to the law, service providers process personal data only for specific business purposes. Moreover, service providers must stick to the business purposes specified in the contract when retaining, using, or disclosing personal information.
CPRA defines what a business purpose is in Section 1798.140(e). It explicitly lists activities for business purposes, one of which is “providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer, provided that, for the purpose of advertising and marketing.”
Cross-context behavioral advertising is not mentioned anywhere else in the definition of business purposes; hence, we can safely conclude that it is exempt from the definition. Simply put, this type of advertising serves no valid business purpose. If one business processes consumers’ personal information for such a purpose, it is not a service provider under the CPRA.
That’s why we need to wait for California Attorney General regulations, or at least some clarification, to ensure that service providers can comply without guessing what they should do.
CPRA’s effective date is 1 January 2023. The lookback period starts one year earlier, so ad tech companies are already under the scrutiny of receiving fines once the California authorities start with enforcement actions.
If you do not comply with the CPRA, the CPPA and California Attorney General may investigate the case and issue a fine.
The law says that people who break California residents’ privacy rights will be fined $2,500 per violation and $7,500 per intentional violation.
Remember that if you operate all over the US, you may be subject to the requirements of a few other data privacy laws, such as the Virginia Consumer Data Protection Act, the Utah CPA, and a few others.
Online advertising has steered a lot of controversy in the last decade regarding businesses’ extensive data collection and processing practices, including an extensive collection of sensitive personal information. Consumers’ privacy is at risk, so governments worldwide have started passing laws to limit what companies can do.
The EU’s GDPR remains the world’s most comprehensive data protection law. In the US, California broke the ice with the California Consumer Privacy Act (CCPA), which the CPRA now complements. The Colorado Privacy Act, Virginia VCDPA, Utah CPA, and Connecticut CTDPA follow the example. More state privacy laws, as well as federal privacy laws, may be expected in the next few years.
Schedule a call to learn more
