In three weeks, California voters will decide whether to pass Proposition 24 — the California Privacy Rights Act. If it passes, California will have the most stringent consumer privacy law in the United States, one that goes materially further than CCPA in ways that will require significant operational changes for adtech companies, data brokers, and marketers using sensitive data categories.

The polling shows the measure with broad public support, and it has financial backing from Alastair Mactaggart, the real estate developer whose earlier initiative created CCPA. The business community is divided: some large tech companies have taken no position, others have quietly supported it as CCPA’s operational uncertainty made the more comprehensive CPRA seem preferable to ongoing amendment battles. Consumer advocacy groups have concerns about some of the opt-out provisions, but most have not actively opposed it.

This is the time to understand what CPRA does, how it differs from CCPA, and what the operational implications are — before it passes and implementation pressure becomes acute.

What CPRA Does Beyond CCPA

CCPA, which became enforceable July 1, 2020, established baseline privacy rights for California residents: the right to know what data is collected, the right to delete data, the right to opt out of the sale of personal information, and a private right of action for data breaches. It was a significant step and it required substantial compliance investment. CPRA builds on that foundation with several material additions.

Sensitive personal information as a protected category: CPRA creates a new category of “sensitive personal information” that includes precise geolocation, social security numbers, financial account information, health data, racial or ethnic origin, religious beliefs, and union membership — as well as contents of messages and genetic data. Consumers can direct businesses to limit the use of sensitive information to what is necessary for service delivery. For adtech companies building audience segments that include demographic data, health indicators, or behavioral proxies that could infer sensitive categories, this is a significant operational constraint.

Right to correct: In addition to CCPA’s right to know and right to delete, CPRA adds a right to correct inaccurate personal information. For data brokers, identity graphs, and DMPs maintaining consumer profiles, the right to correct creates an operational requirement to accept and honor correction requests — not just deletion requests.

Sharing as equivalent to selling: CCPA’s opt-out right applies to the “sale” of personal information. The definition of “sale” has been extensively litigated and debated, with companies arguing that sharing data for advertising purposes is not a sale if no monetary consideration is exchanged. CPRA adds “sharing” as a parallel concept, explicitly covering cross-contextual behavioral advertising even without monetary consideration. This closes the “not a sale” interpretation that some companies have used to argue that programmatic audience sharing is CCPA-exempt.

Enforcement agency: CCPA enforcement is handled by the California Attorney General’s office, which has limited resources relative to the scope of enforcement obligations. CPRA creates a dedicated California Privacy Protection Agency (CPPA) with its own budget, staff, and rulemaking authority. This is a structural enforcement upgrade that materially changes the compliance risk calculus.

The Sensitive Categories Problem for AdTech

The sensitive personal information provisions of CPRA create the most operationally complex challenge for the adtech ecosystem. The programmatic advertising industry has long used demographic and behavioral data to construct audience segments that are proxies for sensitive categories — health condition segments built from pharmaceutical search behavior, financial distress segments built from credit-related browsing, and ethnic affinity segments built from content consumption patterns.

None of these segments explicitly collect sensitive personal information. But all of them involve using behavioral data to infer characteristics that CPRA would classify as sensitive. The CPRA text requires businesses to limit the use of sensitive personal information to what is necessary for service delivery unless the consumer affirmatively authorizes broader use. Whether audience segments built from inferred sensitive data are covered by this provision depends on regulatory interpretation — and the new CPPA, once constituted, will be in a position to issue binding rules.

The safest interpretation — and the one that limits exposure — is to audit all audience segment products that could constitute inferred sensitive information and to require explicit authorization before using them for targeting purposes. The practical cost of this approach is significant: many of the highest-CPM audience segments in programmatic buying are sensitive-adjacent.

What Changes vs. CCPA for AdTech Operations

For companies already compliant with CCPA, CPRA requires several operational updates:

Data minimization and purpose limitation: CPRA introduces explicit data minimization requirements — data collection must be limited to what is necessary for the disclosed purposes. This is a principle from GDPR that is new to California law and will require privacy program reviews for companies that collect personal data broadly.

Retention policies: CPRA requires businesses to disclose retention periods and to delete data when it is no longer needed. For adtech companies maintaining audience data, this means establishing and honoring documented retention limits rather than retaining data indefinitely.

Opt-out mechanisms for sharing: The “sharing” provision means companies running cross-site behavioral advertising using California resident data need an opt-out mechanism specifically for advertising data sharing, separate from any general CCPA opt-out. The “Do Not Sell or Share My Personal Information” link will need updating to reflect the sharing provision.

Contractor and service provider obligations: CPRA tightens the definitions of “service provider” and “contractor” in ways that limit the scope of the service provider exemption that many adtech companies have relied on to avoid direct CCPA compliance obligations. The boundaries between controller, processor, and joint controller will require legal review.

The Enforcement Agency Is the Real Change

The creation of the California Privacy Protection Agency is arguably more consequential than any individual provision in CPRA. CCPA enforcement under the AG’s office was limited in practice: the office received hundreds of complaints but had limited resources to pursue them, and the cure period (which allowed businesses 30 days to fix violations before facing penalties) reduced enforcement intensity.

The CPPA, if CPRA passes, will have a dedicated budget, the ability to hire specialized privacy enforcement staff, and proactive rulemaking authority. It can adopt regulations without waiting for legislative action. It can initiate enforcement actions without relying on consumer complaints. The 30-day cure period for some violation types is modified — serious violations may not get cure periods.

For any company doing business with California residents’ data — which means virtually every company in the programmatic ecosystem — the CPPA represents a materially more active enforcement environment than has existed under CCPA. Compliance cannot be a check-the-box exercise if a dedicated agency with enforcement authority is actively monitoring the market.

FAQ

When would CPRA actually take effect if it passes? CPRA would take effect January 1, 2023, with enforcement beginning July 1, 2023. This gives businesses approximately two years from a November 2020 passage to implement compliance programs. The California Privacy Protection Agency would begin operating before enforcement begins, as it will need time to adopt implementing regulations. Key provisions — particularly around sensitive personal information and the right to correct — will require regulatory interpretation from the CPPA before businesses can be fully certain of their compliance obligations.

How does CPRA compare to GDPR? CPRA incorporates several GDPR-like principles — data minimization, purpose limitation, retention limits — that were absent from CCPA. The sensitive personal information category is similar in concept to GDPR’s “special categories.” However, CPRA still operates as an opt-out framework rather than GDPR’s opt-in framework: consumers must take action to restrict data use, rather than businesses requiring affirmative consent before processing. The enforcement structure — a dedicated agency — is also GDPR-like, similar to EU member state Data Protection Authorities.

Does CPRA apply to B2B data or only B2C? CPRA, like CCPA, applies to personal information of California residents regardless of the commercial context in which that data was collected. B2B data about individuals — business email addresses, phone numbers, job titles — is covered. Some CCPA exemptions for employee data and business-to-business data were temporary under CCPA; CPRA would extend those exemptions through 2022 and the CPPA would then determine permanent treatment. For adtech companies using B2B data for account-based marketing programs, the exemption status of B2B personal data deserves careful legal review.

What should we do before the November 3 vote? Start the compliance gap analysis now. Identify every data processing activity that involves California resident data, document the legal basis, and map it against CPRA’s requirements. Pay particular attention to sensitive personal information in any form — explicit or inferred — and to data sharing arrangements for advertising purposes. The two-year implementation timeline is not as long as it seems given the complexity of building or updating data governance programs. Companies that begin planning before the vote will have a meaningful head start.