Against the new year’s noisy backdrop of fireworks, cheering crowds, ringing bells, and clinking glasses, the California Privacy Rights Act (CPRA) almost “quietly” took effect on January 1, 2023. In the weeks to come, however, there will be a good amount of noise made about the CPRA as businesses scramble to make sure they’re in compliance with the newest and potentially broadest of the regional data privacy acts.
If the CPRA feels vaguely familiar, it should, as it replaces the earlier CCPA (California Consumer Privacy Act). It is based on the European model of the GDPR (General Data Protection Regulation). Though similar to its predecessors, the CPRA makes some new and important distinctions around how data is collected, shared, and stored that will have a major impact on thousands of businesses worldwide this year.
First, a disclaimer: the CPRA doesn’t affect every business, only those that earned more than $25 million in gross revenues in the previous calendar year; businesses that buy, sell, or share data that includes more than 100,000 individuals or households; or derive more than half their gross revenue from the selling and/or sharing of personal data. And, perhaps obviously, it only affects data from California consumers. Still, other states are closely watching California’s data privacy regulations, and it may not be long before they follow suit.
Broader definitions and bigger fines
The CPRA focuses on the collection, dissemination, and privacy of what it categorizes as “sensitive” personal data from consumers. In this category, you’ll find the usual suspects—state and federal ID information (social security number, passport, driver’s license, etc.), banking and credit card information—as well as less traditional data points such as the precise location of a user, genetic data, and even religious beliefs. Clearly, CPRA features a heightened sensitivity where personal data is concerned, which is one reason why marketers need to acquaint themselves with the new definitions and regulations.
The penalties for non-compliance with CPRA, which will be administered by the newly created California Privacy Protection Agency (also known as CCPA), can range from as high as $2,500 to $7,500 per incident, depending on whether the violation is deemed unintentional or intentional. In addition, businesses that are subject to the CPRA can be fined an additional $750 or more per incident in cases where weak security is found responsible for a data breach. When you consider that data breaches frequently involve the exposure of tens of thousands of records, the cost of non-compliance with CPRA can have devastating financial implications for a business.
Better communication with consumers
It is the marketer’s responsibility to communicate to consumers the impact and implications of the law. Beyond broader definitions and bigger fines, CPRA stipulates that California consumers be given the right to control how their data is collected and shared, with specific mechanisms to clearly communicate those choices. For example, California consumers can opt-out of having their data shared for targeted marketing purposes. And those options need to be clearly marked on websites and other marketing collaterals so that consumers can quickly and easily change their privacy settings. This transparency goes a long way in reassuring consumers that their data is handled with care, which helps in building trust and brand loyalty in the long run.
The CPRA also seeks to limit how much data is collected, as part of its data minimization efforts. Companies that collect data need to prove they have a justifiable purpose for that data, based on the relationship between the company and the consumer, collection methods, the type of data being collected, and so on. Finally, there is new guidance on how companies can (and cannot) collect data on underage consumers, including methods that companies can use to determine guardianship of a minor for the purpose of consent.
Next steps for marketers
There are several clear actions for marketing teams to take in response to CPRA. First, they need to make sure that they can justify their purpose for data collection. Second, they need to equip websites and other marketing channels with clearly marked options where California consumers can opt-in/out of data collection and control how their data is collected and shared. Third, marketing teams will need to connect consumer data so that they can apply personal privacy options across all devices and browsers operated by the consumer. One of the important stipulations of CPRA is that consumers can choose privacy options once and have those choices apply universally across all experiences with the company.
Although this is more of a to-do for security teams, marketers also need to work with IT departments to ensure that their consumer data is properly stored and protected according to CPRA’s guidelines. Beyond the regulatory penalties of a data breach, companies can lose brand value and customer loyalty if data is exposed due to a breach. A final takeaway from all this is that privacy isn’t just a regional phenomenon. Like GDPR before it, CPRA is a response to the growing interest from consumers in how their data is collected, managed, applied, and shared. The rules of data-based marketing, from data privacy to third-party cookie collection, are clearly changing.
At Factoreal, we’re keeping up with those changes through features that help you stay compliant, whether you’re a $25+ million business or on your way to becoming one. Talk to us to know more.