The California Privacy Rights Act (CPRA) was passed in November 2020, providing updates and clarifications to the California Consumer Protection Act (CCPA) which is currently in effect. While many of us are preoccupied with preparations for the elimination of the third-party cookie, it is important to not lose sight of the implications of these regulatory changes as well. The CPRA introduces a number of new requirements that will have a significant impact on marketing and advertising once the changes go into effect in 2023.
Let’s explore the most impactful changes for marketing and advertising, as well as how you can begin preparing to thrive in the new privacy-focused environment.
Before we get started, when does the CPRA go into effect?
Similar to the rollout of the CCPA, there are two important dates to keep in mind. The new regulation goes into effect on January 1, 2023 and becomes enforceable on July 1, 2023. User access and deletion requirements do apply to personal information collected in the past 12 months, so you need to have the structures for compliance in place by mid 2022 at the latest.
Top 5 Major Impacts for Marketing & Advertising
Expanded Consumer Rights
The CCPA introduced five core rights to Californians with respect to their personal information:
- The right to know what personal information is being collected about them.
- The right to know whether their personal information is sold or disclosed and to whom.
- The right to say no to the sale of personal information.
- The right to access their personal information.
- The right to equal service and price, even if they exercise their privacy rights.
The CPRA expands on these rights in two primary ways: by extending the right of opt-out to sharing as well as selling of personal information, and by granting the users the right to data correction.
Under the current law, users have the ability to opt-out of the sale of their personal information. From a marketing and advertising perspective, many of the typical operations for a brand are not impacted by these opt-out requests. These typical operations include collecting personal information from a unique identifier and then activating that identifier to target users via ad networks across the web. This changes with the new ability for users to opt-out of the sharing of their personal information.
How Does the CPRA Define Sharing?
“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. (1798.140.ah)
CPRA
Put simply, a user will have the right to opt out of any advertising activity. This brings the California model closer to the European standards in the General Data Protection Regulation (GDPR) and will have massive implications for marketers and advertisers. When a user opts-out, an organization will still be able to collect the user’s personal information and use it for purposes of measurement and analytics, but will not be able to activate that data for targeting and advertising.
The second new right granted to Californians is the right to have their information corrected in the event of inaccuracy. The impact here for businesses is more operational. Organizations should already be identifying data and platforms in scope and have methods for accessing the user’s information to comply with CCPA requirements. With this new need, you will need to ensure you have a way of modifying and updating the data (in case a user requests an update) in order to keep the data accurate. The key is to maintain information in a structured and organized way across all of your internal systems. That first-party data cleanup initiative you’ve put off for years? It’s time to prioritize it.
Data Retention
The CPRA calls out concepts for intentional data collection and processing in the updated “General Duties of Businesses that Collect Personal Information”:
A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes. (1798.100.c)
CPRA
This legally requires a business to be strategic and properly plan the collection, use, and retention of any personal information. Gone are the days of “collect everything and figure out how to get value from it later”. While this has always been a poor practice, strategic data collection and use is no longer just a best practice, but also a legal requirement.
For marketing and advertising teams, this means it is required to have a strategy in place for what data is absolutely necessary to reach your business goals. All data needs to be minimized (only necessary data collected and processed) and it should have proper protections in place.
New Enforcement Agency
Regulations are simply written rules until they are enforced. One of the complaints from privacy professionals with the CCPA is that enforcement falls to the California State Attorney General. There are no teeth with which to broadly inspire adherence to the new regulations. This concern is addressed with the establishment of the California Privacy Protection Agency.
This Agency, created by the CPRA, is led by a five-person board charged with enforcing and bringing actions against organizations for violations of the new privacy requirements. It was initially funded with a 5 million dollar contribution from the California General Fund which will grow to an annual 10 million dollar contribution in the future. Funding for the agency and their operations will also come from administrative fines imposed for violations of the law.
In the coming months and years, we can expect to see far more regulations stipulated by this new board and agency. Additionally, there could be an acceleration of actions brought against companies violating user rights as granted in CPRA.
Audits and Risk Assessments
The California Privacy Protection Agency is charged with defining and conducting regular audits and risk assessments. The CPRA creates a requirement for any organization handling personal information that could pose a significant risk to consumers to submit a risk assessment for personal information processed to the agency. The specifics for the risk assessment are to be defined in the next couple of years.
While it is still too soon to know exactly what needs to be assessed, we can take a number of hints from the Balance and Necessity Tests required under GDPR for using Legitimate Interest as a lawful basis for processing of personal data. With these tests, an organization must first prove that the processing of the personal data in question is necessary for the business to accomplish the defined and disclosed purposes for that processing (Necessity Test). This aligns with the previously mentioned requirements for data minimization. In addition, a business must conduct an analysis to prove that the value derived from the processing activity in question outweighs the risk to the consumer’s privacy (Balance Test).
Taking clues from these concepts from GDPR, we can assume that submitted data the risk assessments require will need to be exhaustive of all personal information being processed. It is imperative to begin documenting all personal information collected, how it is used, and ensure proper protections are in place. These considerations and strategic concepts must be embedded at the planning stage in any marketing and advertising initiatives moving forward.
Automated Decision-Making and Profiling
Another regulation the California Privacy Protection Agency is tasked with creating is around automated-decision making and profiling. From the CPRA text:
“Issuing regulations governing access and opt-out rights with respect to businesses’ use of automated decision making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in those decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.” (1798.185.a(16))
CPRA
Also from the CPRA text, the definition of Profiling:
“‘Profiling’ means any form of automated processing of personal information, as further defined by regulations pursuant to paragraph (16) of subdivision (a) of Section 1798.185, to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” (1798.140(z))
CPRA
Any kind of analysis conducted to infer user preferences—a core function of marketing and advertising data activities—will have specific restrictions. It’s likely these restrictions will simply be a continuation of the rights already guaranteed to users and require explicit disclosure and opt-out abilities. What’s important is to identify platforms in use that are employing automated decision-making (and/or profiling) and be able to properly meet the requirements as outlined in the regulations. Businesses need to gain the visibility necessary to act and put a plan in place; the time you will have to get that plan operational will be limited with the new law taking effect in January 2023.
The pace of new privacy regulations is accelerating across the globe. The CPRA is yet another example of this. Not only are more jurisdictions applying protections, but those protections are becoming more and more restrictive. In order to survive and thrive in this new environment, you must start now by considering privacy in all planning and design discussions for marketing and advertising initiatives.