The below is not legal advice, but rather guidelines based on the current text of the CPRA and CCPA. These guidelines may change over time to reflect updated best practices. You should consult with your own counsel, privacy professionals, and/or internal resources to determine a comprehensive and appropriate solution for your business and your marketing activities. At the time this article was written, the text of the CPRA was still in draft form and NOT final.
The California Privacy Rights Act (CPRA) is a law that addresses the privacy rights of California consumers and data protection obligations of companies. If you do business in California, including operating a website that's accessible to California residents, you may need to comply with the CPRA. The CPRA amends the previously enacted California privacy law, known as the California Consumer Privacy Act (CCPA). The effective date of the CPRA is January 1, 2023, with enforcement beginning on July 1, 2023.
Does Your Company Need to Comply with CPRA?
The CCPA and CPRA focus on whether your business collects the personal information of California consumers. Therefore, the laws may apply to your business even if your business is located in a state other than California, or a country other than the United States.
However, not all businesses are subject to the California laws. Only for-profit businesses that meet the following criteria must comply:
Some health and financial businesses that are already operating under federal data security laws are exempt from complying with CCPA in certain circumstances. For example:
- Health providers and insurers already under HIPAA;
- Banks and financial companies covered by Gramm-Leach-Bliley; and
- Credit reporting agencies operating under the Fair Credit Reporting Act.
How NextRoll Complies with the CCPA and CPRA
The below addresses the ways in which NextRoll complies with California privacy law.
- Privacy Notice Disclosures. NextRoll’s Privacy Notice includes the required notice and disclosure provisions. NextRoll will continue to update its Privacy Notice as necessary.
- Consumer Opt Outs: Interest Based Advertising. NextRoll honors consumer choices with regard to their data. Consumers can opt out of interest-based advertising (known as cross-context behavioral advertising). NextRoll’s interest based advertising opt-out is available
- Consumer Opt-Outs: Sale of Data. NextRoll also allows users to opt-out of the sale of their personal information. Aside from data used for interest based advertising mentioned above, the data that is sold by NextRoll is pursuant to NextRoll’s Contact Data product, which sells consumer business emails. This opt-out is available in the footer of NextRoll websites.
- California Data Broker Registry. NextRoll is registered as a California data broker.
- NextRoll Terms of Service. In addition, NextRoll’s Terms of Service require its customers to include disclosures in their privacy notices that specify the data collected by NextRoll (see “How You Can Comply” below).
- Global Privacy Controls. NextRoll’s Technology recognizes and honors Opt-Out Preference Signals, sometimes referred to as the Global Privacy Control (“GPC”). This means that NextRoll will not share or sell personal information from consumers who communicate an Opt Out Preference Signal through the GPC mechanism.
- Consumer Data Requests. Consumers can make data requests on NextRoll’s privacy request webpage.
How You Can Comply
A. Privacy Notice Disclosures
Section 7 of NextRoll’s Terms of Service lays out customer data privacy obligations. Specifically, it sets forth the disclosures customers must make in their privacy notices, as required under various privacy laws, such as the CPRA and CCPA. These requirements include:
- Disclosing the categories of data collected by NextRoll, and the purposes for which data is collected and used by NextRoll;
- Instructions on how end users can opt out from receiving interest-based advertising; and
- Instructions on how end users may opt out from receiving cross-site advertising
B. NextRoll is NOT a service provider for our customers. Here is why.
Under the CCPA and CPRA, the selling or sharing of personal information is regulated. However, if a business is disclosing personal information solely to a “service provider” for a “business purpose” it is not considered selling or sharing personal information. NextRoll CANNOT be a service provider for our customers under the CPRA because providing targeted advertising is not considered a “business purpose.” Targeted advertising is specifically described and defined as “cross-context behavioral advertising” in the CPRA and engaging in this activity requires providing California residents with the ability to opt out of selling or sharing personal information. For ways in which you can effectuate this opt-out, see “Consumer Opt-Outs” below.
C. Consumer Opt-Outs
Under the CPRA, NextRoll customers are considered to be “sharing” data with NextRoll because NextRoll provides targeted advertising (referred to in the law as “cross-context behavioral advertising”). Therefore, NextRoll customers who are required to comply with the CPRA must allow California consumers to opt out of targeted advertising by either:
- including an opt-out on their website, known as the “Do Not Sell or Share My Personal Information” opt-out, OR
- ensuring NextRoll’s Global Privacy Control technology covers all instances of selling or sharing by the company and complies with section 7025(g) of the CPRA. Please note that a company cannot rely on Global Privacy Controls handled by NextRoll’s technology if the company shares or sells personal information for any activity beyond targeted advertising or with another party.