Customer data compliance is like traversing murky waters at the best of times – it requires water-tight policies, and often new threats approach. The next looming beast is titled CPRA (California Privacy Rights Act), which is an extension of the already-established CCPA (California Consumer Privacy Act) that comes into full effect January 1, 2023. At that point, the regulatory standards CPRA establishes will be imposed on data gathered since a year prior – January 1, 2022. Clearly there’s little time to waste in becoming compliant with the act, so we won’t waste any more in unnecessary detail – here’s a quick breakdown of what this means for marketers.
First: Who Does CPRA Apply To?
CPRA holds businesses, service providers, third parties, and (extending CCPA) contractors accountable for different sets of obligations. For the concern of marketing companies, let’s focus on business requirements, as they have evolved from CCPA:
A “business” under CPRA is classified as a for-profit legal entity that collects consumer data, takes a role in determining the processing of said data, conducts business in California, and meets at least one of the following criteria:
- Possess annual gross revenues of at least $25 million
- Annually handles data of at least 100 thousand consumers/households/devices
- Derives at least 50% of annual revenue from selling or sharing consumer data
While it’s true that these qualifications leave many small to midsize businesses and nonprofits exempt for now, marketers should pay special attention to those bulleted criteria – this will catch most marketing agencies, especially as they grow.
Second: What does CPRA compliance mean?
Given that CPRA is an extension of CCPA, it’s important that we understand both in order to be fully compliant. In that interest, here are the rights established for California consumers under the acts:
- The Right to Know what, how, and why their data was collected along with what was done with it
- The Right to Delete data collected on them
- The Right to Opt-Out of their data’s sale
- The Right to Opt-In to their data’s sale (if consumer is under 16)
- The Right to Correct inaccurate data collected
- The Right to Limit Use and Disclosure of “sensitive” personal information
- The Right to Initiate a Private Cause of Action following their data’s breach
- The Right to Non-Discrimination or unfair treatment for exercising their rights
Past guaranteeing these rights, there are a few other big-hitter standards to be aware of for CPRA compliance:
- Sensitive Data Use: Some data is now classified as “sensitive”, defined essentially as data that would personally identify a consumer (think ID cards, genetic info, or SSN). This data will need to have its use disclosed and consumers should have the right to opt out of said use.
- Data Minimization: Data collected and its storage should be proportionate to the purpose of the data.
- Risk Assessments: Certain cases of collection and use of data will mandate risk assessments to be conducted beforehand (this requirement is likely to expand, too)
- Data Deletion: Businesses should not only delete requested data on their end but also notify related third parties to do the same.
- Contracts: Businesses must form CPRA-compliant contracts with third parties before dealing data with them.
- Cross-Context Ads: This type of advertising, where behavioral tracking of users is conducted for tracking across contexts, is specifically targeted in CPRA – customers reserve the right to opt out of its use like any other type of advertising.
- Opting-Out: Businesses should present a “do not share my personal info” link in addition to a “limit the use of my personal info” link, and they should be made reasonably easy to understand and interact with.
Third: How can marketers adapt?
Even broken down, all that compliance criteria is often intimidating. Let’s walk through a few quick steps you can take to get ready:
- Find Your Data: Take an inventory of where all your data lies and through where it flows. Make sure this process is thorough – to secure data you need to know where it lives.
- Review Your Security: Take a sober look at the areas identified in your inventory – can you effectively prevent leaks there and quickly access/delete data where necessary? If not, take some time to bolster your data security.
- Review Your Vendors: Many of the compliance measures require you to hold your vendors accountable for their use of data. Revisit your contracts and make sure vendors are living up to compliance standards, and not putting you at risk through association.
- Manage Requests: If customers request their data to be removed, how will you know? Establish a process by which customer data access or deletion requests can be quickly received and remediated.
- Reconsider Data Collection Strategies: Under standards like minimization among others, it’s worth reevaluating what data needs to be collected and how. Ensure that only business-necessary data is collected, and consider more opt-in oriented approaches to collection: think website interaction, newsletter/email subscriptions, or voluntary polls.
- Consider Getting Outside Help: CPRA compliance is an endeavor, no doubt. If this process seems daunting, consider hiring a consulting service or other solution to aid. Ensuring compliance is done right pays for itself in fines and reputation.
Need help trying to understand CPRA compliance for your business? Let CyberData Pros help you assess your risk and design secure organizational and compliance measures. Contact us now for a free consultation and to learn more about our services.