"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Richy Glassberg, CEO and co-founder of SafeGuard Privacy.
These past few years have seen a whirlwind of change – and not a few upheavals. So business leaders can be forgiven for putting things off that won’t really affect them for a year or more.
But here’s a news flash: The California Privacy Rights Act of 2020 (CPRA) cannot be one of them.
Due to the lookback window lawmakers wrote into the act, compliance must begin at the start of the new year – unless businesses want to toss out every bit of data they legitimately collect about their customers and prospects over the entirety of the year to come.
Yeah, it’s really that urgent. Your data – the stuff you so heavily invest in – has a sell-by date.
But let’s back up. What is CPRA, exactly?
The act amends and significantly strengthens the California Consumer Privacy Act (CCPA) and adds GDPR-like consumer rights into it. Specifically, it expands the definition of sensitive data (geolocation, for example, is now considered sensitive) and provides consumers with stronger controls for protecting it.
Your company must comply with CCPA if you engage in digital advertising, collect data or deploy any kind of automated decision-making technology when determining who to target for a campaign.
Since most companies engage in digital advertising and use AI to find audiences, CPRA will require the majority of players in the digital ad ecosystem to update their practices … or, alternatively, walk away from the biggest consumer market within the US.
Can you continue business as usual next year? Technically, yes. But it’s not a wise move.
Here are six ways that CPRA will significantly impact your operations and how you can prepare.
1. Data collected in 2022 needs to comply with CPRA by 2023
Although CPRA goes into effect on January 1, 2023, the law’s lookback provision applies to all information collected on or after January 2022. That means any data about any customer or prospect that you collect throughout 2022 must be in full compliance with CPRA on New Year’s Day 2023 if you intend to use it from that point on.
Practical tip: Your CMO and COO have a lot of big decisions to make. But in the meantime, work to identify all the personal data you collect in 2022 in the event you want to use it beyond December of next year.
2. New definition: sharing = selling
CPRA gives consumers the right to limit who you share their information with. The law defines sharing as “any disclosure” to third parties for “cross-contextual behavioral advertising.”
All consumer rights that apply to the sale of personal data (e.g., opt-out rights) will also apply to the data you share with partners to execute a digital marketing or advertising initiative.
Practical tip: Make sure you can identify all 2022 data that you share or has been shared with you. You’ll also need to have a system in place to receive and implement opt-out requests.
3. New data use limitations
Under CPRA, there’s no such thing as general or universal permission. If you ask for a consumer’s cellphone number as part of a shipping address workflow, for instance, you can’t use that number to send advertising SMS messages without permission. Personal data can only be used for purposes that are compatible with the disclosed purpose for which it was collected.
Practical tip: Start disclosing expansive use, sale and sharing practices beginning on January 1, 2022, so that you can use any data you collect in 2022 more broadly as of 2023.
4. New contracts
The CPRA creates contract requirements for three categories of counterparties: service providers, contractors and third parties. These obligations will apply to 2022 data.
Practical tip: Start using new contracts in 2022 so that you can enforce obligations on 2022 data in 2023.
It’s right there in black-and-white in the law itself:
E.g., Cal. Civ. Code § 1798.100(d) “A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor …”
5. New counterparty obligations
The CPRA creates new obligations for those who sell or share data.
Specifically, any data you sell or disclose must be for limited and specified purposes only. Moreover, the third party, service provider or contractor you share it with must also comply with the same obligations, as well as provide the same level of privacy protection as you do to that consumer’s data. If, for whatever reason, a counterparty can’t meet those obligations, they’ll need to notify you.
Practical tip: Place these obligations in the new contracts you enter into in 2022 so that you’re ready for enforcement in 2023.
6. New category of personal information
The CPRA creates a new category for “Sensitive Personal Information” and provides for new and additional limitations on its use. What’s considered sensitive? It’s any data that is related to a consumer’s government ID (i.e., social security number or driver’s license), finances, geolocation, race, religion, union membership, the contents of private communications, genetic info, biometrics, health or sexual orientation.
If your company uses or discloses sensitive personal information, CPRA requires you to notify people of that fact. Moreover, you will need to provide “a clear and conspicuous link” on your home page titled "Limit the Use of My Sensitive Personal Information."
Practical tip: If your company collects sensitive personal information, you should start to inventory the types collected now, as well as how that information is used, who that information is shared with and whether the sharing is legally allowed under the statute without consumer consent. Next, formulate a comprehensive strategy for how you can collect, use, share, retain and protect sensitive personal information in compliance with CPRA.
More to do
These six items are by no means the sum total of your new obligations under CPRA.
For some companies, other CPRA provisions, such as data retention and automated-decision making, will have a much greater impact on the business.
Although, like I said at the top, you could get away with putting this off for another year – but that would mean taking every piece of data you collect in 2022 and throwing it in the digital trash can. How is that going to advance your company’s digital transformation efforts, I wonder, and what will that do to your market position going into 2023?
If the prospect of losing your entire data investment isn’t acceptable to you or your board, I suggest the time to act is now. Waiting for next year is really not a good idea.