Another day, another acronym. If anything has defined the role of an email marketer in the last five years, it’s the constant rollout of new consumer privacy regulations around the world.
Hot on the heels of the European Union’s General Data Protection Regulation (GDPR), which sent shockwaves around the world in 2018, the California Consumer Privacy Act (CCPA) sought to give consumers in the state greater control over the information businesses collect from them. Then in 2020, Californians voted to approve Proposition 24, which updated, modified and extended the rules stipulated by CCPA, creating the California Privacy Rights Act (CPRA) of 2020.
CPRA takes effect on January 1, 2023, and will be enforceable from July 1, 2023, with a lookback period from January 1, 2022. That means it’s essential to start taking steps to ensure compliance now.
If you find yourself a little confused by all these privacy-related acronyms, you’re not alone. However, the good news is, as new regulations roll out around the world, they are beginning to look very similar to each other.
GDPR has set the foundations for CPRA
Much of the groundwork for CPRA was set by GDPR. This includes rules not previously included in CCPA relating to:
- Data minimization: Limiting data collection to only what is required to fulfill a specific purpose.
- Purpose limitation: Ensuring data collected for one specified purpose is not used for new, incompatible purposes.
- Storage limitation: Governing that you cannot keep data for longer than you actually need it.
The GDPR has also influenced how the CPRA manages sensitive personal information (SPI) relating to race or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, genetics, health, and other potentially sensitive data is managed.
Under CPRA, businesses that store SPI must include a clear and conspicuous link on their websites stating “Limit the Use of My Sensitive Personal Information,” which allows consumers to restrict the processing of their sensitive data.
Updating existing CCPA regulations
The implementation of CPRA won’t replace CCPA. Instead, it updates and adds to the current legislation.
CPRA will update five of the current regulations governed by CCPA. These include:
- The right to opt-out of third-party sales and sharing: Under the CCPA, consumers were able to opt out of businesses selling their data. The CPRA expands this right to the sharing of data with third-party organizations.
- The right to know: While the CCPA enabled consumers to request details relating to personal information collected in the last year, CPRA extends this window of opportunity beyond 12 months in certain circumstances.
- The right to delete: The CPRA extends the right for consumers to demand businesses delete their personal information to include third-party organizations that may have received shared data.
- The right to data portability: Under the CCPA, consumers have the right to receive a copy of the personal information a company held about them. CPRA extends this right for consumers to demand a copy of personal data in commonly used, machine-readable format so that information can be easily transferred to another organization.
- Extended Opt-In Rights for Minors: The CCPA dictates that organizations seek opt-in consent for the sale of data owned by people under the age of 16. The CPRA now demands that businesses wait for 12 months after an opt-in request has been declined before requesting permission again.
CPRA also includes four new rules relating to:
- The right to correct information.
- The right to limit uses of SPI.
- The right to access information about automated decision making.
- The right to opt out of automated decision-making technology.
What does CPRA apply to?
Okay, here’s where it gets confusing. CPRA isn’t just about doubling down on the rules previously set by CCPA. In fact, in some cases, CPRA might make things easier for small and mid-sized businesses.
CPRA rules apply to businesses that collect personal information from Californian residents that fall into one or more of the following categories:
- Have gross revenues of more than $25 million in the preceding year.
- Buy, sell, or share the personal information of 100,000+ Californian consumers or households.
- Generates 50% or more of its annual revenue from selling or sharing consumers’ personal information.
However, suppose your small business or start-up has ambitions for growth. In that case, it’s always better to comply with current privacy regulations now rather than be forced to change the way you do business when you reach a specific threshold.
The threat of non-compliance is genuine, with potential fines of $2,500 for every unintentional violation and $7,500 for every intentional violation of the law. While CCPA legislation hasn’t been pursued as aggressively as the GDPR, there are a number of active cases against a range of businesses.
Why does this matter?
The digital marketing landscape is changing. Regulations like the GDPR, CCPA, and CPRA are cleaning up an environment emerging from its “Wild West Era” where the rule of law was at best patchy.
Regulations enable good marketers to up their game and focus on the people behind the data rather than just the data. The regulations also begin the process of closing down less-than-scrupulous marketing techniques, creating a less aggressive and more trusted landscape where consumers will actually welcome marketers’ communications when engaged using best practices.
How do I comply?
If you currently comply with CCPA and GDPR, you should already be in a pretty good place. However, you will need to make some adjustments to the way you work. For example, it’s always a good idea to conduct a regular data-mapping exercise to check how you manage and share data across your business and the various third parties you work with. You may also need to update some of the privacy statements on your website to reflect the current regulations.
It should be remembered that this article is not intended as legal advice. Therefore, it’s always a good idea to speak to your legal counsel to ensure that everything is in place before the end of the year and the start of the CPRA lookback period on January 1, 2022.
Need help getting ready for CPRA? Contact us at firstname.lastname@example.org.