California Dreaming or California Nightmare?  New privacy laws abound.

by Mike Hershey, EVP of Government Affairs

When the California Consumer Privacy Act (CCPA) came into effect in 2020, the media and advertising industry struggled to implement disclosures and procedures to comply with the groundbreaking obligations under the nation’s first definitive set of data privacy laws. Those obligations impacted the out of home (OOH) advertising industry as well, as most companies use data to inform, analyze or target OOH advertising.

The CCPA now looks like the opening act for the main performance as four recent developments will require additional analysis and compliance efforts by the OOH industry.

1. CCPA 2.0

The most widely discussed development is the enactment of the California Privacy Rights Act (CPRA), aka CCPA 2.0, which takes effect on January 1, 2023. The CPRA will tighten the reigns on what service providers can do with data generated by businesses. It will require additional disclosures by businesses when collecting personal info, provide consumers with the right to opt-out of ‘sharing’ their personal info for behavioral advertising, and require new contracts between various parties in the ecosystem.

2. Sephora

While the industry is getting ready for the CPRA, the first public CCPA enforcement action was announced last month by the California Attorney General against Sephora. This action, which came with a $1.2 million price tag, focused on the various third-party pixel providers collecting data from the Sephora website. When working with such providers, a business either needs to treat those data transmissions as the sale of personal information (and give consumers the ability to exercise their right to opt out) or treat those pixel providers as ‘service providers’ (evidenced by service provider contracts with the providers). Sephora did not meet either obligation.

In addition, the California Attorney General held Sephora liable for not honoring global privacy control (GPC) signals that were transmitted by users to the Sephora website.

3. Advertising to Minors

As if the CCPA and CPRA were not enough, the State recently enacted the California Age-Appropriate Design Code Act. This new law, which goes into effect on July 1, 2024, will require businesses to prioritize a child’s privacy, safety, and well-being over commercial interests. The law requires data privacy impact assessments, prohibits profiling of children by default and configuring all default privacy settings offered by a product or service to the highest level of privacy.

Since the law defines a child as anyone under 18, this law will likely eliminate targeted advertising to minors in California. Given the breadth of the law and its technology and medium neutral approach, it will be interesting to see how it is applied to the OOH industry.

4. Employee Rights

Lastly, companies were enjoying the broad carve-outs under the CCPA for most obligations regarding B2B and employee data. Those carve-outs are set to expire at the end of the year. While the industry fully expected the California legislature to come to the rescue with an extension, numerous bills failed to pass in the most recent legislative session. As a result, come January 1, 2023, employees and B2B participants will be due the exact same disclosures as ordinary consumers, and may exercise the same rights, such as access, deletion, opt-out, and more. This will be the first time that employees have such broad rights under any privacy law in the United States. 

Meanwhile, Congress advanced privacy legislation through a key House committee in the summer. That bipartisan bill would pre-empt state laws, like California’s. While a long way from potentially becoming law, the bill’s advancement and the state pre-emption language are important developments. With all the moving pieces on privacy, now is the time for industry participants to review their data processing activities and step up their compliance program. Data is generated through so many activities, and the OOH industry is hardly immune from these new requirements.