Who, what, when: California tightens privacy rules
California’s expanded privacy regime—the California Privacy Rights Act (CPRA), approved by voters on Nov. 3, 2020—reached a major enforcement milestone in mid‑2023 when the California Privacy Protection Agency (CPPA) began exercising its rulemaking and enforcement authority. Many CPRA provisions took effect on Jan. 1, 2023, and the CPPA’s full enforcement authority started on July 1, 2023. The cumulative effect is widely regarded as making California law the strictest state privacy framework in the U.S., and it has proved especially consequential for data brokers and ad‑tech firms that collect, aggregate and sell consumer profiles.
What the law changes and why it matters
The CPRA builds on the California Consumer Privacy Act (CCPA) by adding new consumer rights and duties for businesses. Key changes include a new category—”sensitive personal information”—stronger limits on cross‑context behavioral advertising through an expanded opt‑out right, explicit obligations around data minimization and purpose limitation, and new requirements for risk assessments and audits for certain high‑risk data uses (including automated decisionmaking). The law also created the CPPA, a standalone state agency with the authority to issue regulations, bring enforcement actions and levy penalties.
For data brokers—companies such as Acxiom, LiveRamp, Experian and Oracle that build and sell consumer profiles—the CPRA’s combination of opt‑out mechanics, limits on “sharing” for targeted advertising, and new transparency requirements represent a material shift. Compliance often requires significant changes to identity resolution, data‑matching processes and contractual relationships with downstream buyers.
Industry reaction and practical implications
Data broker and ad‑tech businesses have warned that the law increases operational costs and complicates digital advertising ecosystems. Many firms have accelerated investments in privacy engineering, consent infrastructure and post‑cookie identity solutions. Publishers and ad networks reliant on targeted advertising have faced pressure to pivot to contextual targeting, first‑party data strategies or clean‑room measurement approaches.
At the same time, some consumer‑privacy advocates and regulators argue that these tradeoffs were the point: to rebalance power and give Californians meaningful control over how their data are used and sold. Marketers and ad platforms such as Google and Meta (formerly Facebook) have publicly discussed how evolving state frameworks are changing ad pricing and measurement, though both companies continue to invest in alternative approaches to ad targeting.
Background and legal context
The CPRA does not exist in isolation. Since 2018, a spate of state laws—Virginia’s CDPA, Colorado’s CPA and others—have established privacy baselines, and the European Union’s GDPR remains the global benchmark. What distinguishes California is the breadth of consumer rights, the creation of a dedicated enforcement agency (the CPPA) and the detailed rulemaking the agency has undertaken to interpret vague statutory terms such as “sharing” and “sensitive personal information.”
The CPRA also preserves a limited private right of action for certain data security incidents, while giving the CPPA broad discretionary enforcement powers for non‑security violations. That dual pathway increases the regulatory and litigation risk for companies handling large volumes of Californian consumers’ data.
Expert perspectives
Privacy practitioners say the law forces a shift from a data‑collection mindset to a data‑use mindset. Compliance consultants note that large ad tech and data broker firms must now document lawful bases for processing, run and retain risk assessments for targeted advertising and redesign data flows to support consumer opt‑outs and deletion requests. Legal analysts add that the CPPA’s forthcoming regulations will be determinative: interpretation choices on what constitutes “sharing” or a “sale” of data will shape industry practice for years.
Several industry groups have lobbied for clearer federal standards to avoid a patchwork of state rules. Absent federal preemption, companies operating nationally must tailor systems to the most stringent state standards, a reality that increases engineering and legal costs.
What comes next: outlook and takeaways
Expect continued legal and policy activity. The CPPA’s rulemaking docket remains active, and enforcement actions or formal guidance will further clarify obligations. Businesses in ad tech, identity resolution and data brokerage that once relied on the relative opacity of data flows will need to accelerate investments in compliance, measurement alternatives and first‑party data strategies. For consumers, the practical outcome is greater transparency and an expanded ability to opt out of targeted advertising and the sale or sharing of sensitive personal information.
For the broader industry, California’s model is likely to be a template. Other states and possibly federal legislators will study the CPRA’s implementation and enforcement to determine whether to emulate its tougher controls—or to seek harmonization that eases cross‑jurisdictional compliance.
About the Author
