July 1 marked the official start to legal enforcement of CCPA, the California Consumer Privacy Act. Voted into law by the California legislature, the CCPA has national implications as it became the first major privacy law giving consumers in the United States control over their personal information, closely aligning with GDPR (General Data Protection Regulation) in Europe.
More specifically, regulations were outlined to cover personal information that businesses are collecting, how that data is being used, and how consumers can opt out of the data being sold. On the heels of the beginning of enforcement, Californians proposed a follow-up act that they will vote on in the November election.
The proposed addendum, ostensibly making CCPA stronger, is the California Privacy Rights Act (CPRA).
How the CPRA differs from the CCPA
The CPRA makes CCPA stronger by creating a new government agency dedicated to handling enforcement and compliance with the new privacy regulations. Note: CPRA isn’t a different law, but is an expansion of the current law, which strengthens protections for consumers and clarifies some of the more unclear compliance questions for organizations.
Having an agency dedicated to CCPA would lead to more businesses in compliance and enforcement of penalties. And most notably, it makes companies responsible for what other companies do with California residents’ personal information if collected by the former and shared with the latter.
Consider this example: the law would require a company to monitor its service providers—like ad tech firms processing publishers’ data to facilitate ad targeting—to ensure they don’t add California residents’ data to the service provider’s own database of consumer profiles unless the company and service provider signed a contract agreeing to that use.
This, in turn, makes service providers responsible for helping the companies that collect a person’s personal information comply with requests related to that information, such as deleting it.
Consumers also benefit from CPRA with the ability to update personal information that has been collected by a company, which ultimately helps companies and consumers alike. How? Take a consumer who corrects purchase-history data to stop receiving retargeting ads after they purchase a product. The consumer wins because they stop receiving ads for that product and the company wins by no longer using budget for now-irrelevant ads.
Going a step further than personally identifiable information (PII), CPRA adds a subcategory called Sensitive Personal Information (SPI), which includes data like login credentials, race, ethnicity, biometric data (from health trackers), and precise geolocation. Creating this subcategory means SPI would be treated differently than regular PII, allowing companies the ability to target non-sensitive information instead of losing access to all personal information for marketing purposes.
4 adoption steps for all organizations collecting consumer data
As new privacy laws evolve and we learn more about how the laws are enforced, there are four things we know all organizations collecting data must do:
- Honor opt-ins and opt-outs ASAP. Ensure your organization has a process in place to quickly address privacy requests and err on the side of being more conservative in consent for data capture.
- Comply with CCPA regardless of your company’s physical location. As we know with CCPA, compliance extends outside of the state of California, meaning it covers California residents no matter their location at the time. If a California resident can access your website, CCPA compliance is required.
- Understand that how PII is defined becomes more complex as regulations evolve. Maintaining legal compliance while driving marketing performance should always be an ongoing process and not a one-time exercise. Plan to revisit how personally identifiable information is being used each time a privacy regulation change is announced.
- Create more positive consumer relationships. This is more of a benefit for businesses honoring privacy and proper handling of personal information, as your customers will be aware of the data you are collecting and using from them.
Finally, consult legal
As always, we recommend consulting with your legal team for questions on your organization’s specific policy for CCPA, GDPR, and CAN-SPAM compliance.
Feel free to reach out to us with your questions, as well. We’d be happy to discuss how you can comply with new privacy laws and continue crafting personalized marketing experiences across your digital channels.