If you think you finally got the hang of CCPA – the California Consumer Privacy Act – it’s time to get to know a new set of initials. CPRA stands for the California Privacy Rights Act. Passed during the November election, this new referendum updates and extends CCPA. Enforcement of CPRA begins July 1, 2023.
Although the state name appears prominently in the title of both laws, and they technically only apply to California residents physically in the state, the impact of CPRA/CCPA (CPRA for short) is nationwide. The reasons: the state’s overwhelming market size, and its position as the headquarters of so many tech, entertainment, and consumer brands. That means many marketers must reorient their plans around CPRA for the acquisition and management of user data. It sets a new floor for U.S. data privacy for many companies. National businesses often design their data security or insurance requirements for the most stringent state, so they will likely do the same for data privacy. And with no comprehensive data privacy law yet at a federal level, state laws largely define the landscape – and CPRA is now the king of the pack.
Passed as a referendum in 2018, CCPA technically went into effect a year ago, but the state attorney general’s office issued updated regulations throughout 2020. Essentially, CCPA – which applies only to California businesses of a certain size – lays down some ground rules for user data.
Users got a new set of privacy rights, including the right to know what personal info a business collects and how that info is used and shared. Users also have the right to require that a business delete personal info, or correct the info. They can opt out of geolocation when there is resolution of less than a third of a mile, and they can choose to browse without pop-ups.
Consumers may also opt out of the sale of their personal data, and there must be clear methods on a website or app to request that such info is not sold. And users cannot be discriminated against because they exercise their rights.
CPRA revises CCPA in a variety of ways. One of the most significant is the creation of an additional protected category of “sensitive personal information.”
This new category covers Social Security numbers, driver’s licenses, passports, financial account info, precise geolocation, race, ethnicity, religion, union membership, genetic data, sexual orientation, and other categories. Businesses will have to let users know when sensitive info is used for such automated decision-making as credit card approval.
New regulations make third-party data providers/processors liable for misusing user data. A business must now appoint a chief auditor to assess its data practices, and there are restraints on the sharing of user data, not just selling it.
Most importantly, CPRA sets up a dedicated enforcement agency, the California Privacy Protection Agency. The first one of its kind in the country, it will start with the same number of enforcement staff as the Federal Trade Commission. Previously, enforcement of CCPA was managed by the state attorney general’s office.
But, for global marketers, CPRA isn’t the only set of initials to pay attention to. There’s still the European Union’s GDPR, or General Data Protection Regulation, which went into effect in mid-2018.
It’s much more stringent than CPRA in terms of requiring user consent for specific uses of specific personal info, but it only applies to EU citizens in the EU. However, many global brands reach these users, so GDPR figures into their data privacy plans.
Regardless of whether your company complies with CPRA and/or GDPR, all marketers need to set up ground rules for acquiring and utilizing user data – because the new assumptions about user data privacy are becoming basic operating rules.
The growing relevance of data privacy for all companies means some basic best practices are starting to emerge:
Make user data privacy a central part of your company’s ethos, in training, policies, and compliance. Assign specific data privacy responsibilities to specific individuals, with one person having overall supervision.
Map out and understand every place where user data is acquired, kept, and managed in your organization, and which third-party vendors have access to the info. Make sure you have agreements with those vendors that make their data management practices open to your review and in compliance with your standards, because their misuse of that data could pose liability problems for you.
Determine which user data is considered “sensitive,” under various definitions, and make sure it is treated with special care. Set up data structures and workflows that can promptly respond to user requests for data access, deletion, or correction.
Establish a clear method for user consent for data use, according to whichever privacy laws you observe. Even if you don’t conform to strict GDPR, be aware that user consent is becoming a standard part of how user data is acquired and utilized, so best to set up the mechanism now.
Ensure that all data privacy practices, user consent processes, and user data requests are clear and clearly available. Hiding them in dense privacy policy statements is likely to be seen by enforcement regulators as the equivalent of not having them at all.
As we enter this third decade of the 21st century, the compliance landscape for user data privacy continues to shift. But the basic rule is clear: user data privacy is no longer a nice-to-have for marketers. It’s essential.