Changes to CCPA Put Retargeting in the Regulatory Bullseye

It seems like the CCPA has been a work in progress for millennia at this point, doesn’t it? Since I first spoke of the California Consumer Privacy Act back in January 2020 – which might as well be millennia ago considering what’s happening since then – not a whole lot has changed about the legislation. Until recently, that is.


Thanks to a recently-passed ballot initiative in the Golden State, Proposition 24, we’re finally getting some clarification of the CCPA, albeit under the guise of a spiffy new title – the California Privacy Rights and Enforcement Act (CPRA) of 2020. Therefore, I wanted to take this opportunity to look at where the legislation’s been and, most importantly, what the recent initiative means for the digital advertising industry.

Spoiler alert – it behooves a company operating in the digital ad space to understand CPRA and find effective solutions to comply, because the consequences of non-compliance can be dire.

Read Next: Q3 2020 Recap: New Normal, Old Worries  

A Quick Look Back at the CCPA

I won’t spend a lot of time looking at the legislation’s history since, as I said, it’s a topic I’ve covered previously. However, in the interest of building a full narrative, a quick overview of the original CCPA and who it impacts – for-profit entities exclusively – is as follows:

CCPA impacts-png

Also, when compared to it’s EU equivalent, the GDPR, it’s obvious that California lawmakers wanted to lean toward the “do not sell” side of the regulatory fence rather than the GDPR’s “do not track” approach. However, like its EU counterpart, CCPA can carry a very heavy stick, depending on the circumstances. Each unintentional violation – including pre-existing ones – triggers up to a $2,500 penalty, with intentional violations upping the ante to a maximum of $7,500 per incident.

Needless to say, those penalties can add up to staggering amounts quickly. Companies should also note that, although the CCPA was stuck in a bit of a legislative quagmire for a good amount of time, it was finally approved on August 14, 2020. Just in time for it to change again thanks to the November ballot initiative, right? So let’s take a look at what the CCPA v2 – the CPRA – entails for companies.

The CPRA: A Clarification on “Do Not Sell” and Retargeting

Given the 53-page heft of the CPRA initiative, I’ll leave it to you to take a deep dive into its nuances if you so choose. But from a high-level, the most impactful difference between the new CPRA and the CCPA it stems from is the clarification and expansion it provides on the “do not sell” language.

One of the most confusing aspects of the CCPA is its vague definition of what constitutes “selling” personal data, specifically when it comes to retargeting. As many in the industry argued, retargeting relies on sharing data, not so much selling. Therefore, retargeting shouldn’t fall under the statute’s reach.

However, lawmakers obviously recognized their vague verbiage when writing the CPRA, now adopting a “do not sell or share” approach, which, as you guessed, places retargeting directly in the crosshairs of the initiative. In fact, the CPRA directly addresses cross-contextual behavioral advertising – aka retargeting – by defining it as:

Also, the CPRA specifically excludes such retargeting from its definition of “advertising and marketing services” that would otherwise be considered a “business purpose” and, therefore, effectively side-step the new statute.

And as if that clarification wasn’t obvious enough, the CPRA considers data sharing “a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”

Long story short, the digital ad industry must soon adhere to a far higher regulatory standard when it comes to retargeting. And that begins with a mandatory opt-out election, “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising,” that website owners must include in their sites, as discussed in Sec 21 (19) (A) (vi. c) of the CPRA.

Protect Yourself From CPRA Non-Compliance

So what’s the industry to do? Retargeting is now so pervasive, it’s become a norm across the ecosystem. Well, the first bit of good news is that the CPRA doesn’t take effect until January 1, 2023. And once it does take hold, it will only apply to personal data collected on or after January 1, 2022. In other words, you have some time to come up with a game plan.

The second bit of good news is this – Ad Lightning is currently developing a solution that will soon tell you if you’re violating the retargeting language within the new statute. Imagine being able to quickly audit your site, identify areas of non-compliance, and promptly implement needed changes to avoid the regulatory wrath. Sounds pretty incredible, right? But those are the types of tools that make Ad Lightning the best-in-industry ad quality partner on the market. Bar none.

Just as importantly, we’ll continue to monitor the road ahead, developing powerful tools to protect our partners with the most effective solutions in the industry. Suffice it to say, this is a dynamic landscape on both the ad quality and regulatory fronts. And it pays – both literally and figuratively – to have the right solutions and expertise at your side.

New call-to-action