Less than a year after the California Consumer Privacy Act (CCPA) went into effect, businesses have found themselves experiencing déjà vu with the passing of Proposition 24, or the California Privacy Rights and Enforcement Act (CPRA), during the recent election. The CPRA may seem overwhelming for those who just settled into their privacy compliance framework, but there is some good news.
First, the CPRA is not an entirely new law. Instead, it adds a layer of requirements and makes a few clarifications to the CCPA, for which most have already prepared. Second, the CPRA does not go into effect until January 1, 2023. This gives you time to build on compliance efforts ahead of any enforcement.
With that said, the best thing you can do for your company is to act now. By taking proactive measures, your business can gain a market advantage and stay ahead of the competition. To help guide you on your privacy compliance journey, here’s an overview of four essential steps your business will want to take over the next few years:
1. Label Your Data Prior to the CPRA
If your business is aware of the CCPA guidelines, you should have an understanding of the kind of data your business is collecting that could be tied back to an individual, household, or device (that’s “personal information” under the CCPA). On the other hand, the CPRA provides consumers with more protections for data categorized as “sensitive personal information.” This sensitive data includes a person’s social security, passport number, financial information, precise geolocation, race or ethnic origin, religious or philosophical beliefs, genetic data, and personal communications not intended for the business (see CPRA Section 1798.140(ae)).
One important right users have under the CPRA is the ability to limit a business’ use of sensitive personal information. This means that you’ll want to label sensitive personal information and non-sensitive personal information in order to distinguish between the two.
For the businesses that have already identified out personal information, your business can simply focus on separating the sensitive personal information from the rest of the group. Additionally, if you have dealt with the General Data Protection Regulation (GDPR, the European Union’s cousin to the CCPA and CPRA) you’ve probably already identified most of the sensitive personal information your business collects.
2. Revisit Your Contracts
If your company participates in any advertising (whether as an advertiser, publisher, or a technology company), it may be time to update your business agreements. The CPRA now makes this crystal clear: sharing personal information for purposes of “cross-contextual behavioral advertising” is subject to opt out requests (see CPRA Section 1798.140(ah)). This update covers most activity related to targeted digital advertising, which typically involves targeting users based on activity “across businesses, distinctly-branded websites, applications or services, other than the business, distinctly-branded website, application or service with which the consumer intentionally interacts” (see CPRA Section 1798.140(k)).
Some businesses may already include personal information received or shared for purposes of cross-contextual advertising as part of an opt-out request. Many others have been able to avoid this requirement by treating certain advertising partners as “service providers” as defined by CCPA. However, the CPRA does not include this option, as it clarifies that such advertising partners are not considered service provider (CPRA Section 1798.140(e)(6)).
That’s why you should start reviewing existing contracts or drafting new ones to re-classify relevant partners and to make sure both your business and your business partners can perform services as intended. This could involve removing limitations on data use to steer clear of unnecessary restrictions on data or better protecting data by adding new requirements.
3. Update Your Privacy Notices
With broader limitations on how data can be used, the CPRA also expands what needs to be covered in your business’ privacy notices. This includes outlining the categories of sensitive personal information your business collects and how such data is used. And if your business previously did not consider data shared for cross-contextual advertising to be a “sale” of data under the CCPA, guess again. Your business will now have to disclose that it does sell or share personal information assuming it actually engages in such activities.
In addition, you’ll want to highlight new rights or policies your business needs to implement under the CPRA, which includes a consumer’s right to correct their information and details on how long you retain the personal information you collect from consumers. For those who already dealt with the GDPR, your business may have already incorporated the same disclosures in your company privacy notices so you’re ahead of the curve.
4. Identify Privacy-Safe Partners
With the additional constraints that CPRA imposes on the use of third-party data and sensitive personal information as described above, your business may need to get creative about how it uses and sources its data.
Luckily, you don’t have to do this alone. Finding the right business partners and vendors can help your business. For example, in this digital, data-driven world, you’ll find that working with businesses that have access to first-party data may increase the likelihood that consents or opt-ins were obtained in collecting sensitive data. Alternatively, you may find business pioneers who are able to minimize the use of personal information (including sensitive personal information) by relying on de-identified data and thus can mitigate the effects of opt-outs.
By identifying and connecting with business partners who come up with these kinds of innovative solutions, you may find that your business can do a little less of the work and, instead, focus on growth.
Some of this commentary was originally published in CMSWire’s article: 6 Compliance Tips for California Privacy Rights Act (CPRA)