The CPRA will impact privacy and consumer rights for years to come. In November 2020, California voters approved the California Privacy Rights Act of 2020, otherwise known as the CPRA. This is an amendment to the California Consumer Privacy Act (CCPA) that voters approved in 2018.
The CPRA has modified, expanded, and clarified privacy rights for California residents, and it takes inspiration from the EU’s GDPR policy in a variety of ways.
For instance, the CPRA creates a new enforcement agency. Previously the CCPA was enforced by the California Office of the Attorney General. However, in the EU, GDPR is enforced by data protection authorities –– and now, California has one, too: the California Privacy Protection Agency (CPPA).
This agency will be granted investigative, enforcement, and rulemaking powers. More importantly for businesses, this agency will not be required to allow for a 30-day cure period, and penalties for some policy violations can now be up to $7,500 per violation. That’s a 3x increase.
With so much on the line, you may be left wondering what has changed and what it means for your business. You aren’t alone. While fine potential has increased 3x, your business has until January 1, 2023, as ramp-up time for compliance. Here’s what companies need to know about CPRA.
The CCPA was already the United State’s most robust consumer-focused privacy law. The CPRA takes everything a step further – and makes it more challenging for any future leniency unless the entire policy is revoked.
In other words, you want to get your business in CPRA shape. There is no turning the clock back on this privacy policy. Instead, it’s likely more states will begin to adopt similar policies.
Let’s cover the basics.
A customer data platform is software designed to make sense of your customer data so you can engage with them on a more personal, effective (and valuable) level. But what does that mean for marketers? Executives? Customers? How do CDPs change their experiences?
Most of the California Privacy Rights Act of 2020 provisions will not take effect until January 2, 2023. However, personal information collected on or after January 1, 2022, will be part of the expansion of the “Right to Know” section.
Your business will be required to allow consumers the “Right to Know” what data you’ve collected on them and how it is being used back to any information you collected beginning on January 1, 2022.
Not everyone, and in fact, this is one of the areas in which the CPRA is actually more lenient than the original CCPA.
In the CCPA, businesses with a total number of consumers of 50,000 or higher needed to comply. In the CPRA, that number is doubled. CPRA applies only to businesses with consumers greater than 100,000.
If you are a company with more than 100,000 customers, the CPRA will apply to you if you generate at least 50% of annual revenue from selling or sharing consumer personal information (PI). This is another update in the CPRA in comparison to the CCPA. In the CCPA, only the selling of consumer personal information was covered. In the CPRA, that has been expanded to “sharing,” meaning with third parties.
A lot of the CPRA is a modification of the CCPA, but one area of introduction is around “sensitive personal information.” This will now be a regulated dataset in the state of California.
Sensitive personal information for CPRA includes:
Organizations collecting, selling, or sharing this information will be required to disclose that they are doing so, and allow consumers to opt-in and opt-out.
If you’re a business with more than 100,000 customers or with data on more than 100,000 consumers, and you use that data for marketing or advertising, or to generate revenue for your business, then CPRA means several things for your data privacy program.
Brands recognize that customer experience directly impacts turnover and margin, and will soon trump price and product as differentiators in the near future, if it hasn't already.
Consent regulations have been strengthened in the CPRA, specifically for minors. This means that to collect a user’s data, they need to give explicit consent with the knowledge of how their data will be used and for what lengths of time.
Moreover, consumers can request, and businesses are required to confirm, their opting-out of specific programs, including the deletion of their data, even if previous consent was given.
For organizations, it will be crucial to use tools like a customer data platform (CDP) to automate what consumers are opted into, what they are opted out of, and the deletion of data when requested. This will also make the audit obligations introduced in this bill far easier for organizations to manage because CDP helps comply with data privacy and governance requirements.
Under the CPRA, consumers now have the right to see what information you have collected on them, and how that is affecting their personalized experience with your brand. In fact, consumers can request a meaningful description of the logic involved in the decision-making process for automated campaigns, ads, and the like. It is essential to have a data privacy plan.
To make this easy on teams, again a CDP is helpful –– especially one that is integrated with a CRM solution. Together, these tools can be used to create personalized logins and pages for consumers to see all of their data, what streams they are in as a result, and manage their own data preferences.
As mentioned earlier, the CPRA takes some inspiration from the GDPR policy in the EU. These include:
These requirements mean that businesses need to collect the least amount of information they need, and they need to state the purpose for their collection of the data (i.e. how it will be used) and for how long they will keep it.
An overwhelming majority of consumers state they'll stay with and pay more to a brand they trust. Learn the top data privacy issues driving - or breaking - their trust.
Whatever policy your company decides on, you’ll want to make sure to automate what your privacy policy says with your system. For instance, if you state that you’ll keep data in the system for two years, you’ll want to automate the removal of that information as soon as those 24 months are up.
Again, this will be incredibly helpful for audits and ensure no manual errors or forgetfulness on the part of employees.
For organizations making more than $25 million in annual revenue, collecting data from more than 100,00 consumers, and making at least 50% of profits from the selling or sharing of that data, it’s now time to get a CDP.
Centralizing customer data from all sources using a CDP will help your team to automate several of the new policies, make audits easy, and keep customers happy – without having to increase team workload for marketing, sales, advertising, or any other department.
Remember, the CPRA is by far the most robust consumer privacy law in the U.S., but it won’t be the last – nor will this amendment. As the privacy-first web continues to move forward and gain traction, organizations will need to become smarter and more transparent about what they collect, on whom, and how they use it. Investing now saves you in fines and headaches in the future.
Subscribe to our newsletter for the most up-to-date e-commerce insights.
