December 3, 2022

CPRA cross-context behavioral advertising

The California Public Records Act (CPRA) has rules about cross-context behavioral advertising that you must follow to avoid trouble with the California Privacy Protection Agency (CPPA). This article will review the requirements for everyone involved in the data processing. 

The California Public Records Act (CPRA) has rules about cross-context behavioral advertising that you must follow to avoid trouble with the California Privacy Protection Agency (CPPA).

However, the law could be clearer regarding online advertising. While business requirements are clear and concise, service providers who help businesses advertise online could be clearer.

You are either a business or a service provider in the CPRA sense or maybe both. This article will review the requirements for everyone involved in the data processing. 

What is Cross-Context Behavioral Advertising under the California Privacy Rights Act (CPRA)?

The CPRA defines cross-context behavioral advertising as “the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”

Let’s disassemble the definition to understand it better:

  • Targeting of advertising to a consumer
  • Based on the consumer’s personal information
  • Obtained from the consumer’s activity across businesses... other than the business,
  • With which the consumer intentionally interacts.

That includes advertising through platforms like Google, Meta, Twitter, Pinterest, and other digital advertising platforms. When their online identifiers are installed on a website, they collect consumers’ personal information related to browsing such websites. When a business pays them, it will serve targeted ads to the same consumer.

What are the requirements for businesses regarding Cross-Context Behavioral Advertising?

When it comes to processing personal data for the purposes of targeted advertising, you have to comply with the general CPRA requirements for data collection and processing.

That includes:

  • Serve consumers with a privacy notice on the collection of personal information. That notice needs to inform them why you collect data and what you intend to do with it. If targeted advertising on social media is part of your plans, it needs to be included in the privacy notice. Otherwise, you must refrain from using the collected data for advertising.
  • Obtain consumer’s consent if you knowingly collect data from children
  • Honor consumer requests, including requests to know, access, delete, and other requests and honor consumer rights requests in general.
  • Conduct regular cybersecurity audits and risk assessments, particularly if you process sensitive personal information such as precise geolocation, social security number, health data, etc.
  • Respect consumers’ opt-out rights and allow them to opt-out of the sales or sharing of personal information by providing them with a “Do Not Sell My Personal Information” mechanism on the web page.
  • Allow consumers to limit the sharing of sensitive personal information by providing them with a “Limit the Use of My Sensitive Personal Information mechanism on the homepage.
  • Ensure data security at all times and so on. See more in our comprehensive article on CPRA requirements.

What are the requirements for Service Providers regarding Cross-Context Behavioral Advertising?

The CPRA requirements for service providers in terms of online advertising are more complex than those for businesses. That is where it causes problems for the ad tech industry.

In Section 1798.140, CPRA defines online advertising exactly as it works in practice. So, where’s the problem?

Well, cross-context behavioral advertising is exempt from the definition of business purposes. According to the law, service providers process personal data only for specific business purposes. Moreover, service providers must stick to the business purposes specified in the contract when retaining, using, or disclosing personal information.

CPRA defines what a business purpose is in Section 1798.140(e). It explicitly lists activities for business purposes, one of which is “providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer, provided that, for the purpose of advertising and marketing.”

Cross-context behavioral advertising is not mentioned anywhere else in the definition of business purposes; hence, we can safely conclude that it is exempt from the definition. Simply put, this type of advertising serves no valid business purpose. If one business processes consumers’ personal information for such a purpose, it is not a service provider under the CPRA.

That’s why we need to wait for California Attorney General regulations, or at least some clarification, to ensure that service providers can comply without guessing what they should do.

CPRA’s effective date is 1 January 2023. The lookback period starts one year earlier, so ad tech companies are already under the scrutiny of receiving fines once the California authorities start with enforcement actions.

What happens if you don’t Comply with the CPRA?

If you do not comply with the CPRA, the CPPA and California Attorney General may investigate the case and issue a fine.

The law says that people who break California residents’ privacy rights will be fined $2,500 per violation and $7,500 per intentional violation.

Remember that if you operate all over the US, you may be subject to the requirements of a few other data privacy laws, such as the Virginia Consumer Data Protection Act, the Utah CPA, and a few others.

Final Thoughts

Online advertising has steered a lot of controversy in the last decade regarding businesses’ extensive data collection and processing practices, including an extensive collection of sensitive personal information. Consumers’ privacy is at risk, so governments worldwide have started passing laws to limit what companies can do.

The EU’s GDPR remains the world’s most comprehensive data protection law. In the US, California broke the ice with the California Consumer Privacy Act (CCPA), which the CPRA now complements. The Colorado Privacy Act, Virginia VCDPA, Utah CPA, and Connecticut CTDPA follow the example. More state privacy laws, as well as federal privacy laws, may be expected in the next few years.