releasing paper lanterns into the air
PHOTO: Idanupong

California has made history once again. In early November, California voters approved a ballot initiative known as Proposition 24, which enacted the California Privacy Rights Act (CPRA). In an attempt to further increase the protection of consumer data, the Golden State has gone beyond any other state to create an omnibus privacy regulation.

The newly passed CPRA amends the already enforced California Consumer Privacy Act (CCPA) of 2018. For businesses that have just implemented CCPA compliance programs this year, including the recent modifications to the CCPA regulations, the prospect of having to address CPRA requirements seems a daunting task. Fortunately, they don’t have to worry about meeting the requirements right away — most of the amendments will come into effect on Jan. 1, 2023. However there are requirements businesses should start considering sooner than later.

The CPRA: Going the Extra Mile

The CPRA expands the CCPA by granting consumers new rights that don’t exist under the current law. Consumers will have the right to limit the use and disclosure of sensitive personal information (such as race, ethnicity, religion, geolocation, health and biometric information), and the right to require businesses to correct inaccurate personal information.  

Additionally, the CPRA establishes a new privacy enforcement agency called the California Privacy Protection Agency. The first of its kind in the US, this agency will be responsible for rule making and enforcement, with rule making activities expected to begin in 2021.

The CPRA also modifies existing CCPA rights, such as updating the Do Not Sell requirements of CCPA to include “Do Not Sell or Share My Personal Information” and expanding the disclosures that businesses must make in their privacy notices. 

Related Article: We're All Stuck in the Privacy and Brand Safety Tangle

Out With the Old, in With a View

Included in the list of new and expanded requirements is one that marketers and customer experience (CX) professionals may overlook — the requirement to minimize data collection and retention. As I’ve discussed before, this act is likely to pique the interest of EU data privacy regulators and for good reason. The CPRA has incorporated GDPR-style data retention and transparency obligations.

Per SEC. 4. 1798.100, businesses will need to inform consumers, at or before the point of collection, about the “length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period.”

So, why can’t organizations just tell consumers they will retain their personal information for 50 years and keep everything? Unfortunately, it’s not that simple. The CPRA now requires that businesses “not retain a consumer’s personal information or sensitive personal information” for longer than “is reasonably necessary for that disclosed purpose.”

Indiscriminate collection and indefinite retention were always questionable practices when it came to protecting the privacy rights of consumers, and the CPRA will effectively make such practices illegal once it enters into force.

Concerned that your CX program will suffer due to these obligations? Fear not.

Related Article: What Marketers Need to Know About the California Privacy Rights Act

The Benefits of Quality Over Quantity

As seen in 2020, gathering customer feedback to improve CX has become a top priority for most organizations. But focusing only on collecting large quantities of data instead of quality insights is not ideal. The concept of data minimization has been a core tenet of good privacy practice for decades. While the benefits to consumers are obvious, there are also benefits to businesses:

  • Managing large volumes of consumer access, amendment, deletion and Do Not Sell or Share requests is a mammoth task. If you make a mistake, the potential cost can be significant. Why take on that obligation and associated risk for data that no longer achieves a specific, defined purpose? Reducing the amount of unnecessary data you hold will limit your liability only to that data which is providing you (and your customers) real value.
  • Collecting only the minimum amount of data required for a specified purpose and deleting old, useless data, limits liability as you have less to protect. Should a data breach occur, fewer records will be impacted.
  • Relying primarily on active, first party data and regularly removing inactive data from email lists will increase deliverability. Marketers with robust email programs are familiar with this. The CPRA provides yet another excuse to trim the fat and optimize your campaigns.
  • Handling data transparently and responsibly will build trust with consumers, resulting in greater brand loyalty. Using an insight community is a great way to gain quality customer feedback to help determine their handling preferences, leading to an improved customer experience.

Related Article: Privacy by Design Is About to Become Law: Is Your Organization Ready?

Looking Ahead

While we wait for the CPRA to come into force in 2023, we can expect further proposals and commentary on the regulations, which are expected to be finalized in 2022. For now, businesses should start updating their data collection and deletion practices to ensure a smooth transition.