CPRA, effective from January 2023, defines “business purpose” to omit cross-context behavioural advertising.
The California Privacy Rights Act (CPRA) is a rework of the California Consumer Privacy Act (CCPA). The CCPA currently exempts companies defined as “service providers” from several requirements. For example, unlike other businesses, the CCPA exempts service providers from the requirement to provide consumers with a notice of their rights, among other legal disclosures.
As of now, the CRPA says that service providers are restricted from retaining, using or disclosing personal information for non-business purposes. Only companies that process data for business purposes are considered service providers. But the Act also redefines “business purpose” to exclude cross-context behavioural advertising.
This does not clarify whether a company intending to use personal information for cross-context behavioural advertising falls outside the ambit of a service provider. While the California Privacy Protection Agency should provide interpretative guidance, ad tech vendors must keep a lookout for any announcements or additional regulations from the body.
[3 minute read]