Remember CCPA? Now give it an adrenaline shot.
Californian consumers now have more personal data protection rights than ever before. The state this month passed Proposition 24, or the California Privacy Rights Act (CPRA), which amends provisions and strengthens enforcement of the California Consumer Privacy Act (CCPA). It takes effect Jan. 1, 2023.
The first thing marketers need to know? California strengthened its opt-out clauses to move from a “no selling” to a “no sharing” approach to data privacy, giving consumers more control over how their data is shared and used, according to Charles Farina, head of innovation at Adswerve, a digital marketing analytics consultancy.
The second thing marketers need to know? You’re more than ever on the hook for compliance because the CPRA triples maximum penalties for violations concerning consumers under age 16 and establishes a California Privacy Protection Agency to enforce and implement consumer privacy laws and impose administrative fines.
“This just isn’t something that’s going to be going away,” said Heidi Bullock, chief marketing officer for Customer Data Platform provider Tealium. “And then you have everything that’s happening with third party cookies as well. We’re really entering into a new stage of how we’re going to have to market. What’s interesting is it’s not just for people that are marketing to consumers. Some B2B marketers may say they don’t have to worry about this. But the people in a way have spoken. They want to have their privacy upheld.”
Selling Extends to Sharing
A quick reminder about the application of the law. CCPA and CPRA protects Californian consumers. CCPA, at its core, gives California consumers the right to:
- Learn what information a business has collected about them.
- Have the business delete their personal information.
- Stop businesses from selling their personal information, including using it to target them with ads that follow them as they browse the internet.
- Hold businesses accountable if they do not take reasonable steps to safeguard their personal information.
Why do we care so much about California? It’s the fifth largest economy in the world, for starters.
But why the need for CRPA to beef things up? Wasn’t CCPA strong enough?
No, says the Golden State. Under CCPA, consumers had the right to opt out of having their personal data sold to third parties. Many publishers and adtech vendors, however, found loopholes. They said, “We’re not selling data, we are sharing it,” according to Luke Taylor, COO and founder at advertising technology company TrafficGuard.
“In the case of some that were selling data, they could preclude themselves from the law’s reach under its ‘service providers’ exemption,” Taylor said. “So when CCPA was initially launched, consumers got bugged with opt-out notifications as they surfed the web but not a whole lot was happening if/when they decided to opt out.”
Following Proposition 24, that will change, Taylor said, because consumers now have the ability to opt out of the sharing of their data, as well as the sale. Businesses providing targeted advertising will no longer be exempt from the opt-out under the service providers exemption.
“The days of targeting users for advertising based on their behavior and information shared across sites are numbered,” Taylor said. “This is another nail in that coffin. This will impact the effectiveness of programmatic advertising. It will also impact the sharing of data from publishers to Google and Facebook within their advertising networks.”
What does “sharing” mean, according to the CPRA regulation? Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, a consumer’s personal information to a third party for cross-context behavioral advertising. This includes transactions between a business and a third party for cross-context behavioral advertising.
Related Article: What Marketers Need to Know About CCPA … Before It’s Too Late
Cybersecurity Audits, Risk Assessments
Businesses have some work to do as far as audits and risk assessments per the CPRA. Businesses whose processing of consumer personal information presents a significant risk to Californian consumers under CPRA must:
- Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent.
- Submit to the newly-established California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information. This includes whether the processing involves sensitive personal information. They also must identify and weigh the benefits resulting from the processing to the business, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer.
“You’re actually adding explicit security provisions, which includes doing an annual security audit and submitting that audit to the brand-new consumer privacy protection agency. I mean, that is huge,” said K Royal, associate general counsel at TrustArc.
Also, remember that whole avoiding enforcement thing under CCPA if your businesses remedies a curable violation within 30 days of being so notified? CPRA eliminates this. “Instead, it allows a 30-day cure period only in relation to preventing statutory damages (not pecuniary damages) as part of a data breach-related private right of action. The law also confirms that implementing reasonable security measures following a breach will not constitute a business’s cure with respect to that breach,” according to The National Law Review.
Related Article: What Does it Mean to Be CCPA Compliant?
Contractual Obligations Regarding Third Parties
Royal also noted the shift in businesses’ liability for violations of the law by “third-party” businesses and new contractual obligations regarding relationships with these third parties. Third parties, according to CPRA, are not the business with whom the consumer intentionally interacts and that collects personal information from the consumer; a service provider to the business; or a contractor.
“The CCPA itself put in some very strong contractual provisions that you have to have in place, and the CPRA builds out from there,” Royal said. “But yes, it absolutely builds in greater liabilities, and you need to make sure that you do your proper due diligence [with third parties], and that’s a challenge for a lot of companies.”
Specifically, businesses that collect a consumer’s personal information and that sells or shares that personal information with a third party needs to enter into an agreement that:
- Specifies that the personal Information is sold or disclosed by the business only for limited and specified purposes.
- Obligates the third party, service provider, or contractor to comply with applicable obligations.
- Grants the business to take reasonable and appropriate steps to help to ensure that the third party, service provider or contractor uses the personal information transferred in a manner consistent with the business’ obligations.
- Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations.
Argument for Having First-Party Data Strategy
All the new rules among third parties extends the argument for having a first-party data strategy, according to Bullock. It’s something Gartner argues, too.
“We all know this is a good thing anyway,” Bullock said. “As these regulations are getting passed, we need to take privacy seriously, but it’s actually forcing marketers to actually do better marketing. I don’t think it’s a bad thing. And you actually own that data, too, in a way.”
Do people actually want to receive your newsletter? Or your SMS messages? “As a marketer you need to do a better job of creating stuff that people actually want,” Bullock said. “… If people sign up for it, they’re asking and you’re getting that data. Then we can do better personalization and create better experiences, which at the end of the day, you’re going to see better results.”
Controlling Your Data at the Core
The first thing for brands and marketers to note when complying with privacy standards is taking back ownership of your data, according to Joe Gaska, CEO and founder of GRAX, a data value platform. Have control of your data, and don’t let vendors take control.
“It’s about making sure that you have control as a business, and making sure that the people that you’re doing partnerships with. …they’re not taking ownership of your data,” Gaska said. “What really happens [with some vendors] is they’re taking all of your data and locking it away in a storage that is physically owned by somebody else.”
Federal Privacy Law Coming Next in Biden Administration?
Will the US federal government follow suit and create its own GDPR? Maybe. A new administration begins under Joe Biden in January.
Stanley Huang, CTO and co-founder at Moxtra, a customer collaboration platform, noted the GDPR focuses on opt-in, with no data sharing or selling. He expects a federal level of compliance to be defined soon in the United States and for it to be a more restricted policy than what we’re seeing put in place in California.
“The federal measure will likely look like a hybrid of the CPRA and GDPR,” Huang said. “Data sharing is a critical part of compliance, so that’ll be key to be incorporated. As well as an ‘opt-out’ rather than ‘opt-in’ clause will be more highly considered since the US culture is built upon promoting innovation which is fueled in many ways by data insights. Though, it wouldn’t surprise me if certain types of sensitive personal data were defined as ‘opt-in’ like religious affiliation and sexual orientation. The federal version of this privacy law may follow GDPR in the way of protecting the ‘data subject’ outside of specific geographic locations like the CPRA is limited to.”