For those of you who were just getting used to the California Consumer Privacy Act (CCPA), it’s time to recalibrate.
Even though CCPA’s enforcement only began this past July, on November 3, voters in California passed a referendum for a successor to CCPA called the California Privacy Rights Act (CPRA). The new legislation—due for enforcement starting July 1, 2023—revises and supplements CCPA in several important ways, and sets a new marker for American privacy laws.
The question for marketers is: now what?
How the CPRA revises the CCPA
Before attempting that answer, first let’s look at how the CPRA is different.
As described previously on RampUp:
- It sets up a separate enforcement agency, the California Privacy Protection Agency. Funded with $10 million from the state’s general fund, the agency is the first of its kind in the U.S., as CCPA was handled by the state’s Attorney General office. It will have roughly the same number of enforcement staff for California alone as the Federal Trade Commission has for the entire U.S.—about 40 people.
- CPRA says that the state legislature can only amend the new law in ways that continue its “purpose and intent.” More extensive changes would require a completely new law or referendum.
- It defines a new category of “sensitive personal information,” such as Social Security numbers, driver’s licenses, financial information, precise geolocation, race or religion, union membership, genetic data, and sexual orientation.
- It limits liability for privacy violations in a joint venture or partnership to partners with 40% or above ownership. CCPA made any partners liable.
The electric scooter, the Tesla, and the Smart car
In several ways, CPRA now moves a U.S. state-based law closer to the more comprehensive regulations of the European Union’s General Data Privacy Regulation (GDPR).
CPRA sits between CCPA and GDPR, but brings California closer to the latter, said Katherine Calvert, CMO of Khoros. “If CCPA is an electric scooter and GDPR is a Tesla,” she suggested, “CPRA is a Smart car.”
Calvert noted that CCPA focused on the selling of consumer data, whereas CPRA “takes that to the next level with a focus on how the data is shared,” where it’s sold, or not. She added that the part of the ad industry that is most affected by CPRA will depend on what the enforcement agency emphasizes.
A key difference between CPRA and GDPR, privacy expert Kristina Podnar pointed out, is that CPRA doesn’t emphasize consent as much as GDPR does. Instead, it focuses on transparency, the right to know, and the right to opt out.
But in one aspect, she noted, CPRA goes a step further than GDPR.
GDPR applies only to people physically in the EU, whether citizens or not, whereas an earlier version applied to EU citizens, wherever they were in the world. But CPRA applies to California residents, citizens or not, wherever they are.
This means that CPRA can apply to any national or global brand, provided those companies collect, use, or disclose California residents’ personal information. It could also affect smaller businesses whose customers may include California legal residents living anywhere, but that appears to be a smaller liability.
Value exchange, company culture
Luke Taylor, CEO and Co-founder of Perth-based adtech firm, TrafficGuard, told RampUp that the introduction of CCPA and CPRA is “something advertisers and marketers [around the world] have to deal with,” including companies in Australia.
While the new privacy laws are impacting privacy considerations for consumer data collection and use, he noted that the bigger factors are what’s happening in the browsers, which are deprecating third-party cookies, and in mobile devices, which are limiting the amount of non-consented information that can be collected.
According to Taylor, all of these developments lead to the biggest change for marketers: learning better ways to explain why collected data can help consumers discover products and content.
“We’ve been really bad at communicating the value exchange [of collected data] to consumers,” he said.
Katherine Calvert of Khoros believes the most important thing marketers can do is get their own house in order.
They need to ensure, she said, that their own companies “foster a culture that underscores the importance of privacy and data protection, employs best practices, and leads from the top on these issues.”