Editor's Note: The article was updated to clarify key compliance dates and law application of the CPRA.
Remember CCPA? Now give it an adrenaline shot.
Californian consumers now have more personal data protection rights than ever before. The state this month passed Proposition 24, or the California Privacy Rights Act (CPRA), which amends provisions and strengthens enforcement of the California Consumer Privacy Act (CCPA). Civil and administrative enforcement of the provisions added or amended in CPRA will not begin until July 1, 2023. However, there are other key dates to know well before that. More on that in a moment.
The first thing marketers need to know? California strengthened its opt-out clauses to move from a “no selling” to a “no sharing” approach to data privacy, giving consumers more control over how their data is shared and used, according to Charles Farina, head of innovation at Adswerve, a digital marketing analytics consultancy.
The second thing marketers need to know? You’re more than ever on the hook for compliance because the CPRA triples maximum penalties for violations concerning consumers under age 16 and establishes a California Privacy Protection Agency to enforce and implement consumer privacy laws and impose administrative fines.
“This just isn't something that's going to be going away,” said Heidi Bullock, chief marketing officer for Customer Data Platform provider Tealium. “And then you have everything that's happening with third party cookies as well. We're really entering into a new stage of how we're going to have to market. What's interesting is it's not just for people that are marketing to consumers. Some B2B marketers may say they don’t have to worry about this. But the people in a way have spoken. They want to have their privacy upheld.”
Key CPRA Dates to Know
While enforcement of the CPRA cannot take effect until July 1, 2023, that doesn't mean you should ignore the regulations until then. Here are some key dates to recognize:
- December 2020: When potentially the CPRA becomes effective. It takes effect five days after the Secretary of State “files the statement of the vote for the election,” according to California law. This effective date could come as early as this December, according to the nonprofit Future of Privacy Forum.
- July 1, 2021: When the new California Privacy Protection Agency can exercise its rulemaking authority. Or it could begin six months after the agency provides notice to the Attorney General that it is prepared to begin rulemaking.
- July 1, 2022: Timeline for adopting final regulations required by the CPRA.
- Jan. 1, 2023: When the CPRA becomes operative. However, a consumer's right of access to their data applies to personal information collected by a business on or after Jan. 1, 2022.
- July 1, 2023: When CPRA enforcement can begin.
One note on "operative" vs. "effective" dates. An earlier opinion by the California Attorney General noted the operative date is the date upon which the directives of a statute may be actually implemented vs. the effective date, which is the date upon which a statute comes into being as an existing law.
To Whom Does the Law Apply?
CPRA amended some of the CCPA’s “who’s on the hook for this law?” thresholds. Businesses that collect data on prospects or customers who are California citizens AND satisfy one or more of the following amended CPRA thresholds are on the hook for compliance:
- CCPA: Has annual gross revenues in excess of $25 million.
- Amended in CPRA: As of Jan. 1 of the calendar year, had annual gross revenues in excess of $25 million in the preceding calendar year.
- CCPA: Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination the personal information of 50,000 or more consumers, households or devices.
- Amended in CPRA: Alone or in combination, annually buys, or sells, or shares the personal information of 100,000 or more consumers or households. (Note: 50,000 climbed to 100,000, and the word “receives” is removed).
- CCPA: Derives 50% or more of its annual revenues from selling consumers' personal Information.
- Amended in CPRA: Derives 50% or more of its annual revenues from selling, or sharing consumers' personal Information. (Note: “sharing” is added).
Kristina Podnar, digital policy and privacy consultant, said that by removing the word “receives” from data, the California legislature let a large number of small- and medium-sized businesses off the hook from having to adhere to the expanded data privacy regulation.
And remember, as Podnar notes: “Just because you are headquartered in New York and don’t have an office in California, you are not exempt. If you have prospects or customers in California, you are doing business there.” The regulation indicates collection of data on California residents, whether they be a prospect or a customer. Interestingly enough, Podnar added, that translates, much like Brazil’s new data privacy law, to residents who may at the time be outside of the state.
A key thing to note is the definition of personal information, according to K Royal, associate general counsel at TrustArc. It is defined as information on consumers or households, where consumer is defined as a California resident and household is defined as consumers living at the same address and sharing devices or services.
Related Article: Let 'Ethical by Design' Guide Your Use of Consumer Data
Joint Ventures, Partnerships Could Now Be on Hook
CPRA also expands its reach by including joint ventures and partnerships where each business has at least 40% interest in what’s considered a single business, according to Podnar. She cited a venture like Celsius Joint Venture, a joint venture of four different companies. But, together, they are part of the electrical, plumbing and hardware industry and target mainly wholesalers but also have commercial accounts.
“You will see joint ventures and partnerships between nonprofits and educational institutions, or even nonprofits, associations and their for-profit entities which are treated as separate entities for IRS tax purposes but will become subject to CPRA,” Podnar said.
Do Employees, B2B Communications Have Same Rights as Consumers?
Yes. But not yet.The CCPA exempted employee and B2B communications from having the same personal data rights granted to California consumers until Jan. 1, 2021. But CPRA extends that exemption to Jan. 1, 2023.
So businesses have two more years to iron out how to handle requests from employees or those involved in B2B communications with their business.“The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses,” according to the law.
Selling Extends to Sharing
A quick reminder about the application of the law. CCPA, at its core, gives California consumers the right to:
- Learn what information a business has collected about them.
- Have the business delete their personal information.
- Stop businesses from selling their personal information, including using it to target them with ads that follow them as they browse the internet.
- Hold businesses accountable if they do not take reasonable steps to safeguard their personal information.
Why do we care so much about California? It's the fifth largest economy in the world, for starters.
But why the need for CRPA to beef things up? Wasn't CCPA strong enough?
No, says the Golden State. Under CCPA, consumers had the right to opt out of having their personal data sold to third parties. Many publishers and adtech vendors, however, found loopholes. They said, “We’re not selling data, we are sharing it,” according to Luke Taylor, COO and founder at advertising technology company TrafficGuard.
“In the case of some that were selling data, they could preclude themselves from the law’s reach under its ‘service providers’ exemption,” Taylor said. “So when CCPA was initially launched, consumers got bugged with opt-out notifications as they surfed the web but not a whole lot was happening if/when they decided to opt out.”
Following Proposition 24, that will change, Taylor said, because consumers now have the ability to opt out of the sharing of their data, as well as the sale. Businesses providing targeted advertising will no longer be exempt from the opt-out under the service providers exemption. Sharing means disclosing, making available or communication in any manner with a third party for behavioral advertising regardless of whether money is exchanged, according to Podnar.
“The days of targeting users for advertising based on their behavior and information shared across sites are numbered,” Taylor said. “This is another nail in that coffin. This will impact the effectiveness of programmatic advertising. It will also impact the sharing of data from publishers to Google and Facebook within their advertising networks.”
What does "sharing" mean, according to the CPRA regulation? Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, a consumer's personal information to a third party for cross-context behavioral advertising. This includes transactions between a business and a third party for cross-context behavioral advertising.
By adding the concept of sharing, this carries a real impact, according to Royal. The new definition of sharing was created to address cross-context behavioral advertising, she said.
"Under the CCPA, there was a debate about advertising technology and whether it fell under the definition of 'selling,'" Royal said. With 'sharing,' much of this debate is immaterial and adtech companies are, more likely than not, subject to the CPRA. The 'in combination' aspect is expansive as well, as it may indicate that the level of involvement, however minor, may still make a business subject to the law."
Related Article: What Marketers Need to Know About CCPA ... Before It's Too Late
Cybersecurity Audits, Risk Assessments
Businesses have some work to do as far as audits and risk assessments per the CPRA. Businesses whose processing of consumer personal information presents a significant risk to Californian consumers under CPRA must:
- Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent.
- Submit to the newly-established California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information. This includes whether the processing involves sensitive personal information. They also must identify and weigh the benefits resulting from the processing to the business, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer.
“You're actually adding explicit security provisions, which includes doing an annual security audit and submitting that audit to the brand-new consumer privacy protection agency. I mean, that is huge,” said Royal.
Also, remember that whole avoiding enforcement thing under CCPA if your businesses remedies a curable violation within 30 days of being so notified? CPRA eliminates this. "Instead, it allows a 30-day cure period only in relation to preventing statutory damages (not pecuniary damages) as part of a data breach-related private right of action. The law also confirms that implementing reasonable security measures following a breach will not constitute a business’s cure with respect to that breach," according to The National Law Review.
Related Article: What Does it Mean to Be CCPA Compliant?
Contractual Obligations Regarding Third Parties
Royal also noted the shift in businesses’ liability for violations of the law by "third-party" businesses and new contractual obligations regarding relationships with these third parties. Third parties, according to CPRA, are not the business with whom the consumer intentionally interacts and that collects personal information from the consumer; a service provider to the business; or a contractor.
“The CCPA itself put in some very strong contractual provisions that you have to have in place, and the CPRA builds out from there,” Royal said. “But yes, it absolutely builds in greater liabilities, and you need to make sure that you do your proper due diligence [with third parties], and that's a challenge for a lot of companies.”
Specifically, businesses that collect a consumer's personal information and that sells or shares that personal information with a third party needs to enter into an agreement that:
- Specifies that the personal Information is sold or disclosed by the business only for limited and specified purposes.
- Obligates the third party, service provider, or contractor to comply with applicable obligations.
- Grants the business to take reasonable and appropriate steps to help to ensure that the third party, service provider or contractor uses the personal information transferred in a manner consistent with the business' obligations.
- Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations.
Argument for Having First-Party Data Strategy
All the new rules among third parties extends the argument for having a first-party data strategy, according to Bullock. It's something Gartner argues, too.
"We all know this is a good thing anyway,” Bullock said. “As these regulations are getting passed, we need to take privacy seriously, but it's actually forcing marketers to actually do better marketing. I don't think it's a bad thing. And you actually own that data, too, in a way."
Do people actually want to receive your newsletter? Or your SMS messages? "As a marketer you need to do a better job of creating stuff that people actually want," Bullock said. "... If people sign up for it, they're asking and you're getting that data. Then we can do better personalization and create better experiences, which at the end of the day, you're going to see better results."
Controlling Your Data at the Core
The first thing for brands and marketers to note when complying with privacy standards is taking back ownership of your data, according to Joe Gaska, CEO and founder of GRAX, a data value platform. Have control of your data, and don’t let vendors take control.
"It's about making sure that you have control as a business, and making sure that the people that you're doing partnerships with. ...they're not taking ownership of your data," Gaska said. "What really happens [with some vendors] is they're taking all of your data and locking it away in a storage that is physically owned by somebody else."
Federal Privacy Law Coming Next in Biden Administration?
Will the US federal government follow suit and create its own GDPR? Maybe. A new administration begins under Joe Biden in January.
Stanley Huang, CTO and co-founder at Moxtra, a customer collaboration platform, noted the GDPR focuses on opt-in, with no data sharing or selling. He expects a federal level of compliance to be defined soon in the United States and for it to be a more restricted policy than what we’re seeing put in place in California.
"The federal measure will likely look like a hybrid of the CPRA and GDPR," Huang said. "Data sharing is a critical part of compliance, so that’ll be key to be incorporated. As well as an 'opt-out' rather than 'opt-in' clause will be more highly considered since the US culture is built upon promoting innovation which is fueled in many ways by data insights. Though, it wouldn't surprise me if certain types of sensitive personal data were defined as 'opt-in' like religious affiliation and sexual orientation. The federal version of this privacy law may follow GDPR in the way of protecting the 'data subject' outside of specific geographic locations like the CPRA is limited to."