5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: December 13, 2024
Published: September 8, 2022
Superseding the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) becomes operative January 1, 2023. Among the biggest changes is the expansion of consumer rights to include businesses that share personal information.
“Share” is an important distinction. With the CCPA, only companies that sold customer data were on the hook to provide certain disclosures and rights to consumers.
With the implementation of the CPRA, certain businesses that buy, sell, or share personal information must comply with the law, provided they meet certain requirements. Namely:
The CPRA also adds two additional categories to the definition of a “business.” The first includes joint ventures or business partnerships in which each business has at least a 40% interest, while the second includes individuals that would otherwise not be considered a business, but voluntarily agree to follow and be bound by the CPRA.
Before the adoption of the CPRA, companies that didn’t sell customer data were not bound by the law. However, the CCPA broadly defined the term “sell” to include any arrangement involving an exchange of value “between the business and a third party or another company for consumers’ personal information. ”
Within the context of the CCPA, a “sale” was defined as:
selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer's personal information for monetary or other valuable consideration.
The broad scope created a gap that didn’t cover companies transferring personal data between two entities without selling it in the classic sense of the word.
Nevertheless, the CCPA definition was written this way to limit bad actors from circumventing the right to opt-out. Further, many individuals don't understand that marketing intelligence and social media platforms are constantly sharing consumer browsing habits and analytics with businesses.
The CCPA imposed strict requirements on the "sale" of personal information (e.g., "Do Not Sell My Personal Information" button on homepages). The CPRA takes it a step further by including the sharing of personal data.
The CPRA defines “sharing” as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business.” This definition is comparable to the CCPA’s original definition for the term “selling.”
However, the CPRA goes a step further. It covers sharing data with “a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” (Emphasis is our own).
Thus, the CPRA not only broadens its definition to include data sharing, it also explicitly calls out sharing data for the purposes of targeted advertising. Under the CCPA, many businesses continued to share data for targeted advertising since it appeared to fall outside of the definition of “selling” data.
Under the CCPA, many websites asked consumers for opt-in consent to the use of behavioral advertising cookies through cookie banners. The CCPA does not consider it to be “selling” data when “a consumer uses or directs the business to intentionally disclose personal information … with a third party.” As a result, businesses were able to track their users’ behavior and transfer that data to behavioral advertising networks after obtaining opt-in consent.
But since it wasn’t fully clear whether sharing data with advertising networks was covered by the CCPA or not, many other businesses simply used behavioral advertising cookies without asking for consent.
As a result, some businesses were tracking user data in violation of the spirit, if not the letter of the law, while others were asking for opt-in consent when it may not have been necessary.
The CPRA removes ambiguity from the definition by mandating that consumers have a right to be informed and opt out of the sale or sharing of their personal information. That includes sharing data with advertising networks and clarifies that businesses need to provide opt-out consent (i.e., by providing a link that prohibits the sale and share of consumers’ personal information).
Under the CCPA, consumers had the right to opt-out of the sale of their data. In fact, the CCPA’s first enforcement action was based on a violation of this right. Popular makeup brand Sephora was made to pay a $1.2 million settlement when it failed to inform consumers about the sale of their data and to follow through when consumers withdrew their consent using a global opt-out mechanism.
This enforcement action was based solely on CCPA’s prohibition against selling consumer data when they opt out. Now, consumers also have the right to opt-out of the sharing of their data and businesses must provide notice to consumers of this right.
Additionally, businesses are expressly prohibited from selling or sharing information of personal information of consumers less than 16 years old unless the consumer (or parent or guardian for those ages 13-16) has authorized the sale or sharing of information.
Further, they must provide a link on the home page of their website titled “Do Not Sell or Share My Personal Information” and a link titled “Limit the Use of My Sensitive Personal Information.” These links need to allow the consumer to opt-out of the sharing or sale of their data and to limit the use of sensitive data to only what is necessary for the website to function, respectively.
The rate at which consumer privacy laws are developing and being updated is unprecedented. Staying compliant is critical, as repercussions are steep.
Per the CPRA, violations in selling or sharing personal information could cost businesses up to $7,500 per incident. The new mandates also have a $2,500 maximum penalty for accidental privacy violations for Californians over the age of 16. Additionally, the CCPA provided a remedy period, which the CPRA eliminates.
If you haven’t given any thought to how you’ll handle the new mandates, or if you thought you had time to prepare, now is the time. Being proactive will save you from having to play catch-up when the changes in the law become operational.
To support you in that journey, we’ve put together a short guide laying out the major requirements of the CPRA and how we can help you become compliant. You can access a free copy of “CPRA compliance: How Osano can help” here.
Wondering how to meet CPRA compliance? Our free ebook breaks down the major tasks you need to complete to avoid fines and penalties once CPRA enforcement kicks in.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.