Data privacy legislation is building momentum: more comprehensive privacy bills that have been proposed and passed at the state level than ever before. But none are as wide-ranging as what’s coming in the state of California.
The California Privacy Rights Act (CPRA) went into effect January 1, 2023, and enforcement will start on July 1, 2023. The CPRA represents both a clarification and enlargement of the original California Consumer Privacy Act (CCPA); together, they’ll constitute the strictest privacy laws in the country.
So what does that mean for your business? For one, if your marketing strategy is in danger of non-compliance and you do any business (including online sales) in the state of California, you need to move privacy to the top of your priority list.
Overview: CPRA vs. CCPA and other data privacy laws going into effect in 2023
You’re probably aware of a flurry of changed deadlines and adjusted schedules around CPRA that were announced at the end of 2022, but they don’t change the previously established calendar for enforcement. So let’s get down to business.
The CPRA was a ballot measure that came into being because there were grey areas in the original CCPA that left many questions unanswered, particularly around defining personally identifiable information (PII) and different types of data collection.
The other state privacy laws outside of California going into effect in 2023 are:
- Colorado Privacy Act (CPA): Effective July 1st, 2023
- Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA): Effective July 1st, 2023
- Utah Consumer Privacy Act (UCPA): Effective December 31st, 2023
- Virginia Consumer Data Protection Act (CDPA): Effective January 1st, 2023
Like CPRA, all of these state laws have provisions for consumer rights, as well as their own interpretations of what constitutes sensitive personal information. But it’s very important to know that they are all different. There is no one-size-fits-all solution to privacy compliance across states.
That’s where your legal department comes in. You need to set up regular communication with your legal team to stay ahead of new rules and regulations that may impact your business this year and in the future.
The changes: CPRA modified regulations around PII and data sharing
While CPRA is already in effect, the final rules based on modified regulations won’t be released until sometime in April 2023 following a brief delay by the California Privacy Protection Agency (CPPA).
Some of the changes under CPRA include strengthening limits on data sharing and providing clearer guidance on how marketers can use what the law defines as “potentially sensitive” personal information, including:
- Social security or driver’s license number
- State identification card or passport number
- Consumer’s log-in details
- Geolocation
- Financial accounts, including debit/credit card numbers along with any verification or password tied to the account
- Race
- Ethnicity
- Religion
- Genetic data
- Biometric data
- Private communications
- Sexual orientation
- Health information
One of the biggest debates that led to CPRA was the ambiguous language of CCPA’s “Do Not Sell” requirement. Under the new law, businesses now have to let consumers opt out of both selling and sharing their information with a mandatory “Do Not Sell or Share My Information” option on their websites.
If you are sharing data with a third party that wasn’t originally authorized, you are required by law to allow users to opt out. There are two parts to consider:
- Real identity: a user’s personally identifiable information (PII) that is being captured onsite
- Passive identity: cookies and browser identifiers, or anything that is automatically tracking users
While the current regulations are being finalized, you can expect additional regulations in the future. Section 1798.185 of the CPRA authorizes the CPPA to “solicit broad public participation and adopt regulations to further the purposes of this title (the CPRA).” That offers broad leeway for additional rules and restrictions, ranging from adding new categories of personal information related to data privacy to establishing new procedures related to the sharing of personal information and opting out of the sale of personal data.
Compared to the laws going into effect in the other four states, California offers the most legal protections for consumer data privacy by far. But remember: compliance in California does not automatically mean compliance elsewhere.
The effects: what to expect from CPRA enforcement
Under CCPA, enforcement remained a big question mark, but expect California to turn up the heat with CPRA. The $1.2 million fine dealt to Sephora for violating CCPA in 2022 should serve as a warning shot for brands that thought they could skate by.
In case you weren’t sure if California was serious, the establishment of the CPPA should be a clear sign; they will be taking over from the California Attorney General (AG) to oversee compliance, future rules, and penalties for law violations. CPRA also eliminates the 30-day “cure” period before being fined for a violation, instead leaving it to the discretion of the AG and/or the CPPA based on the organization’s intent (or lack thereof) to break the law.
It’s less certain how enforcement will play out in the four states where legislation is going into effect for the first time; what we do know is that both enforcement and penalties will be different in each state. Whether in California or elsewhere, there will be consequences for violations that can hurt your business financially and put your reputation with your customers at risk.
CPRA compliance: How to work with your legal team
What brands can do now is act as if final regulations and enforcement are already in place. If you are not sure what that means, get in touch with your legal team and look for ways you can work together to make sure your business is compliant.
There are a couple of ways you can get started on that work with your legal team:
- Map your data silos: Even organizations with refined data management and storage processes may find some data is siloed within their organization. It’s critical to develop a comprehensive map defining what data is being stored, where it’s being stored, and the purpose of the silo. Ideally, you would look to break down these silos, but the first step is figuring out where the data is.
- Provide comprehensive use case information: Legal teams will often look to completely block data flows if they could create risk for the organization. In the absence of context, for example, legal teams may advise their teams to enable Restricted Data Processing in a Google Ads account. That would actually apply to all residents subject to regional data laws, not just those who have exercised their right to opt out. While this approach might provide absolute legal protection, it will also impact marketing efficacy (and this is something that brands will need to understand in order to determine the right balance between these trade-offs.) It’s also critical for legal teams to maintain a complete line of sight so they are able to maintain a comprehensive and up-to-date privacy policy on your website reflecting the nature of how this data is used today (a lot can change in just a few months!)
- Calculate the estimated impact of compliance measures: If you are blocking all tracking for consumers in a given region, calculate the estimated scope of coverage and provide various scenarios of efficiency loss. For example, if you have 100,000 customers annually and 12% of them are based in California, you could use your existing cost-per-acquisition (CPA) data to showcase the impact of media efficiency declining by 10% or 20% (or more). That might happen because CPAs increase or customer acquisition declines. You can use your work to help your teams understand the scale of fiscal impact when implementing universal opt-outs. Because it’s difficult to actually estimate that impact in advance, these scaled examples will make other organization leaders more likely to pay attention and work with you and your legal team to find a viable solution that ensures consumers are able to exercise their rights while mitigating fiscal risk to the brand’s bottom line.
- Discuss the role and use of a Consent Management Platform (CMP): The way consumers exercise their rights to opt out of data sharing or have their data purged is critically important. Not all CMP solutions are created equal. Some, like CookieBot, are just designed to block cookies (and therefore ad tracking), while others, like OneTrust, are more comprehensive. You’ll need to find the right solution for your business that keeps you in compliance and your marketing functioning.
- Align on the language you’re using to educate consumers: Discuss different ways to educate consumers about data use with your legal team. Without context, many consumers might assume the worst-case scenario. But if you provide clear examples of how you’re using their data and what limits you’ve set, you may find consumers are more open to sharing their data. It is never appropriate to provide incentives to stop consumers from exercising their rights, but your legal team can provide specific guidance on what you can and cannot say to consumers when they are planning to opt out.
Remember: compliance is not optional. Get ahead of future challenges now by teaming with your legal department and finding the best possible path forward.