California Passes Proposition 24 CPRA (California Privacy Rights Act): What You Need to Know
On the ballot this November was California’s Proposition 24 – the next iteration of the California Consumer Privacy Act (CCPA), named the California Privacy Rights Act (CPRA). With a 58.4% majority, California voted to approve this Act. Clearly, people care about their private information.
The Consumer Privacy Landscape
Consumer data privacy laws vary by State and Country, but the key, most stringent, and impactful regulations are as follows:
HIPAA – Health Insurance Portability and Accountability Act
Specific to healthcare and healthcare insurance industries, the Health Insurance Portability and Accountability Act (HIPAA) went into effect in 1996. The intent of this act is to keep patients’ medical information safe. This is a Federal law in America and supersedes any conflicts in State laws. For more information, check out this Healthcare Analytics and HIPAA whitepaper.
GDPR – General Data Protection Regulation
The European Union’s standard of consumer privacy, this regulation is an opt-in policy that requires a consumer’s consent prior to processing their data. This law went into effect on May 25, 2018, and applies to the rights of anyone in EU territory (which includes those in EU accessing U.S. websites). For more information, please check out our blog post on becoming GDPR compliant.
CCPA – California Consumer Privacy Act
Going into effect January 1, 2020 (with enforcement beginning July 1, 2020) the CCPA established requirements that allow California residents (regardless of where your business is located) to opt-out of a company “selling” their personally identifiable information. If you meet the minimum thresholds, you need to comply. For more information, read this CCPA Guide.
CPRA – California Privacy Rights Act
The California Privacy Rights Act (CPRA) will go into effect on January 1, 2023, but at that time it will apply to data collected beginning on January 1 the prior year, 2022. On July 1, 2023 – CPRA becomes fully enforceable by the CPPA. Once again, this will apply to all California residents and strengthens the current CCPA rules.
What Changes with CPRA?
As time has passed under the initial CCPA, there’ve been some areas identified that aren’t as clear or as strong as initially intended.
One clarity that CPRA brings is a distinction between “selling” and “sharing” consumer’s personal information. Under CCPA, the term “selling” was defined as receiving anything of value in return, which brings arguments on whether “sharing” of information is truly part of this or not. Under CPRA, both “selling” and “sharing” fall under the requirements, which expands the breadth of companies’ use of the data requiring compliance.
Protection of a minor’s data becomes stronger under CPRA, with higher fines for both intentional and unintentional violations. There are some additional requirements for handling “Sensitive Information,” and also new requirements to allow consumers to fix any inaccurate data. This ability to edit the data is more aligned to GDPR rules and takes CCPA beyond simply requiring the deletion of a consumer’s data.
Perhaps the biggest impact that CPRA brings is the establishment of an Enforcement Agency to manage policies. Click & Tweet!
Perhaps the biggest impact that the new CPRA brings is the establishment of an Enforcement Agency to manage these policies. This agency will provide guidance as the technology world evolves, will continue work to strengthen data privacy protection over time, and will be a dedicated resource tasked with enforcing the requirements.
An Opportunity in Disguise
While your customers may not know what CCPA or GDPR is, they certainly do have strong opinions about their own personal data and how it’s used. A consumer survey by Tealium found 97% of respondents are somewhat or very concerned about protecting their data.
Let’s face it, most of us don’t spend the time to actually read data privacy policies, and seeing a link on a website that reads “Do Not Sell my Personal Information” could be shocking and unsettling. However, showing that you’re proactive in protecting your customers and their personal information can build trust in your brand. Similar to all other areas of running a business, doing right by your customers is a core tenant of success.
Showing that you’re proactive in protecting your customers and their personal information can build trust in your brand. Click & Tweet!
Use this opportunity to explain what personal information you collect, how you use that data, and whom you might share it with. That same Tealium survey found that 43% of consumers would willingly provide detailed information about themselves for a discount. Marketers are always aiming to improve the customer journey, saving consumer’s time, and providing the most relevant experiences that result in the highest level of customer satisfaction. Personalized data is what makes this possible.
Ease people’s worries by being upfront, clear, and explicit in the extra value you can deliver to your consumer by being able to use their data.
A lot of companies have taken the “wait and see” approach, and, honestly, all this has done is force data collectors such as Facebook to heavy hand the compliance. For example, Facebook implemented a Limited Data Use policy, which provides tools for advertisers to manage their CCPA compliance, but may require an update to Facebook’s more recent software development kits (SDKs) that support this CCPA compliance.
“If businesses don’t set the parameters to U.S. and California, we’ll determine if a person is in California. Businesses may notice an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited.”
If you’re not yet GDPR- or CCPA-compliant, and you have consumers that these privacy policies apply to, now’s the time to talk to your legal council and get the respective compliance in place.
Keep these consumer data privacy tips in mind:
- Plan for flexibility, as we know that data privacy laws will continue to evolve and will only become more strict.
- Label the data you collect so you can easily identify PII, sensitive, transactional, and other categories to make it easier to manage each of these data types across changing regulations.
- Be upfront and clear with your customers. The more they understand how you use their data, and the value it lends to their experience, the more willing they usually are to participate
The time to act on CPRA to protect consumer privacy is now! And tomorrow…and next month…and next year.