Proposition 24, or the California Privacy Rights Act (CPRA), which amends provisions and strengthens enforcement of the California Consumer Privacy Act (CCPA), becomes operative on Jan. 1, 2023. That is the date upon which the directives of the statute will be implemented and Californians have extended rights in terms of access and rights to the personal data that brands collect.
But it doesn’t mean organizations on the hook for CPRA compliance can turn a blind eye on CPRA now. After all, a Californian consumer's right of access to their data applies to personal information collected by a liable business on or after Jan. 1, 2022, less than a year away. And, lest we forget, CCPA is in effect now.
“Organizations have nearly two years to prepare for CPRA compliance, but it’s never too late to get ahead,” said Dan Clarke, president at IntraEdge, the company behind Truyo, a GDPR and CCPA compliant data privacy platform. “Organizations should start by reassessing their data sharing and marketing strategies. The new legislation could pose new challenges for businesses’ ad campaigns as the CPRA redefines ‘sharing’ and the way businesses address sensitive information.”
We’ve compiled some tips on how to get started with compliance now.
Who's on the Hook for CPRA Again?
But first a reminder who is on the hook for compliance with this forthcoming law. CPRA amended compliance thresholds from the CCPA.
Businesses that collect data on prospects or customers who are California citizens AND satisfy one or more of the following amended CPRA thresholds need to comply:
- CCPA: Has annual gross revenues in excess of $25 million.
- Amended in CPRA: As of Jan. 1 of the calendar year, had annual gross revenues in excess of $25 million in the preceding calendar year.
- CCPA: Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination the personal information of 50,000 or more consumers, households or devices.
- Amended in CPRA: Alone or in combination, annually buys, or sells, or shares the personal information of 100,000 or more consumers or households. (Note: 50,000 climbed to 100,000, and the word “receives” is removed).
- CCPA: Derives 50% or more of its annual revenues from selling consumers' personal information.
- Amended in CPRA: Derives 50% or more of its annual revenues from selling, or sharing consumers' personal information. (Note: “sharing” is added).
Related Article: What Marketers Need to Know About the California Privacy Rights Act
Label Your Data
If your business has already prepared for the CCPA, you should have a good sense of what data your business is collecting and processing that could be tied back to an individual, household or device. That’s “personal information” under the CCPA, according to Yashina Burns, director of data privacy & legal affairs at DeepIntent, which offers marketing and advertising technology.
However, she added, the CPRA provides consumers with additional protection for data classified as “sensitive personal information,” which includes a person’s social security, passport number, financial information, precise geolocation, race or ethnic origin, religious or philosophical beliefs, genetic data and personal communications not intended for the business. See CPRA Section 1798.140(ae)).
“One significant right the user has is the ability to limit a business’ use of this sensitive personal information,” Burns said. “This means that you’ll want to label sensitive personal information so that your business can distinguish between sensitive personal information and non-sensitive personal information.” This allows businesses to better navigate between implementing a CCPA opt-out request versus a request to limit use of sensitive personal information.
“For those businesses that have already labeled out personal information, your business can simply focus on weeding out the sensitive personal information from the rest of the bunch,” Burns added. Even better, she said, if you have dealt with the European Union’s General Data Protection Regulation, you’ve likely already identified most, if not all, of the sensitive personal information your business collects.
Revisit Your Contracts
The CPRA includes a shift in businesses’ liability for violations of the law by "third-party" businesses and new contractual obligations regarding relationships with these third parties, according to Lisa Sotto, partner with the law firm Hunton, Andrews and Kurth. Third parties, according to CPRA, are not the business with whom the consumer intentionally interacts and that collects personal information from the consumer; a service provider to the business; or a contractor. Companies will need to inventory their contractors and certain third parties and enter into appropriate contracts with them, she said.
If your company engages in any advertising — whether as an advertiser, publisher, or a technology company — you may need to update your business agreements, according to Burns. For better or for worse, what was once a question mark for most businesses is now crystal clear in the CPRA: sharing personal information for purposes of “cross-contextual behavioral advertising” is subject to opt-out requests. See CPRA Section 1798.140(ah)).
This covers most activity related to digital advertising, which requires targeting users based on activity “across businesses, distinctly-branded websites, applications or services, other than the business, distinctly-branded website, application or service with which the consumer intentionally interacts,” Burns noted. See CPRA Section 1798.140(k)).
“While some businesses may already include, as part of an opt-out request, personal information received or shared for purposes of cross-contextual advertising, many have been able to avoid this requirement by treating certain partners as ‘service providers’ as defined by CCPA,” Burns said. “However, the CPRA removes this option by making clear that such partners do not count as a service provider.” See CPRA Section 1798.140(e)(6)).
Review existing contracts or draft new ones to re-classify relevant partners and make sure both their business and business partners can perform services as intended. This might mean, Burns said, removing limitations on data use to avoid unnecessary restrictions on data or adding new requirements to better protect certain data.
Related Article: California's CPRA: It's Time to Cut Ties with Old Data
Take Note of B2B, HR Data Regulations
The CCPA exempted employee and B2B communications from having the same personal data rights granted to California consumers until Jan. 1 of this year. But CPRA extends that exemption to Jan. 1, 2023.
The biggest pain point for most organizations will be getting a compliance program in place for HR and B2B data, according to Sotto. Most businesses had put HR and B2B data on the backburner, she added, but now they will need to dust off their CCPA compliance programs to tailor them to include HR and B2B data and also layer the new CPRA requirements on top of the existing obligations.
Prepare for Work Updating Privacy Notices, Policies
Companies will need to review most aspects of their CCPA compliance programs and make changes around the edges to comply with the CPRA’s new requirements, Sotto said. For instance, privacy notices will require new language, and new rights will need to be accommodated, such as the right of correction, and contracts with service providers will need to be revisited, she added.
"Brands need to sit down to review and refresh the terms and conditions they share with customers when they give permission to store and process their data," said Steve Zisk, senior product marketing manager at Redpoint Global, a Customer Data Platform (CDP). "Not only that but they must also ensure that a retention policy is adhered to, as with CRPA being enforceable, businesses have a new risk of non-compliance when keeping data too long. The data cannot be kept for just any 'business purpose,' only those purposes disclosed when the data was collected."
Related Article: A Look at Marketing's Biggest Data Challenges of the 2020s
Audit and Categorize Your Consumer Data Inventory
According to Rob Shavell, CEO and co-founder of Abine, which offers online privacy protections for consumers, key requirements of CPRA ultimately require:
- Knowing what data you’re collecting about individuals.
- How it is being used.
- Being able to report on it, or delete it on request.
“These may sound like simple things, but in practice, often aren’t,” Shavell said. “Not everyone currently has capabilities or transparency to quickly identify their inventory of consumer personal data, much less quickly and easily delete it from every location.”
Companies will need to identify data sources, where data is being kept, how it is being used internally and by whom. And make sure it is universally categorized in the event it needs to be retrieved and/or removed. This, Shavell added, may require front-to-back audits of sales and marketing processes. “Better-categorizing of user data will make meeting demands for data reporting, or deletion, far easier and less costly when it comes time to respond to those requests,” he said.
This same process will need to apply to information from third-party vendors that provide personal data on your behalf, according to Shavell. Communicating with vendors and partners to see what processes they’re using, and what kinds of data-tagging and categorization process they’re adopting will help make operations more consistent.
Look for Opportunities for Data Minimization
Rather than wait for regulations to apply to your existing process structure, and then “fix” them, look at how your business processes currently work and see if there are opportunities where you can accomplish the same tasks with less user data, Shavell said. After all, there is a push toward first-party data marketing strategies and the pending death of web-tracking cookies.
CPRA bars businesses from collecting more personal information than “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” CPRA also requires that a business “shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary” for the purpose for which it was collected.
“Considered together,” Shavell said, “these requirements mean that companies will need to carefully evaluate exactly what pieces of data they collect and for what purpose. You can likely save costs of removing/tracking information by simply ceasing to collect it to begin with.”