The California Consumer Privacy Act (CCPA) hasn’t yet blown out the candle on its first-year birthday cake, and already there’s a major update. In the election this November, a proposed successor—the California Privacy Rights Act (CPRA)—will be on the California ballot. If it passes—which some observers expect—it will give marketers an expanded set of rules to digest. Many are calling it CCPA 2.0.
However, CCPA went into effect on January 1, 2020, and enforcement only started on July 1. If CPRA passes, it will become law on January 1, 2023, and enforceable on July 1 of that year. With so little time and data for CCPA to be evaluated as successful or not, why is the CPRA already on the ballot?
Who and what is behind the CPRA?
CPRA, and the effort to acquire the thousands of signatures for ballot placement, arose from Californians for Consumer Privacy, the same privacy-rights activist group that initiated the CCPA. They say two things have happened since CCPA passed the state legislature on June 28, 2018: “First, some of the world’s largest companies have actively and explicitly prioritized weakening the law. Second, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences.“
How CPRA modifies CCPA
CPRA modifies CCPA in a number of ways, according to independent digital policy consultant Kristina Podnar and Californians for Consumer Privacy:
- Provides the ability for users to browse without pop-ups.
- Provides specific penalties if an email login is stolen due to negligence. Previously, enforcement was dependent on a lawsuit in civil court.
- Defines an additional category—“sensitive personal information”—and restricts its use. This includes Social Security numbers; driver’s license, passport, and financial account information; precise geolocation data; race, ethnicity, and religion; union membership; personal communications; genetic data; biometric or health information; and information about one’s sex life or sexual orientation. CPRA allows users to opt out of the sale or sharing of their information, and consumers can direct companies to use collected sensitive personal information only for the purpose stated, such as delivering a requested product. (By comparison, the European Union’s General Data Protection Regulation (GDPR) requires users to opt in).
- Requires that companies that collect sensitive personal information inform consumers when that information is used by automated decision-making technology, such as tools from financial institutions to facilitate loan or credit card approvals.
- Provides the right for a user to correct his/her own data, and to prevent companies from storing information longer than necessary or collecting more data than needed.
- Limits the ability of companies to pass on protected information by making the initial third-party handoff liable for its use. For instance, if I enter my credit card information into a site and it is transferred by the site to PayPal as a third-party processor, PayPal becomes liable for the use of my information by any of its processors.
- Provides a right to opt out of geo-location that has a resolution of less than a third of a mile.
- Allows authorities to override privacy considerations when there is a threat of injury or death to a customer.
- Requires regular cybersecurity audits and assessments for “high risk” data processors.
- Increases fines for collecting and selling information from minors.
- Requires the appointment of a chief auditor for auditing data practices of a business. By contrast, GDPR requires that businesses employ a data protection officer, who has more powers than an auditor.
- Under CCPA, any joint venture or partnership can be liable for privacy violations of a partner. Under CPRA, liability is limited to partners with 40% or above participation or ownership.
- Perhaps most significantly, CPRA calls for the establishment of a central body called the California Privacy Protection Agency to enforce the regulations—the first of its kind in the U.S. CCPA enforcement is currently handled through the state Attorney General’s office, and a major complaint has been the vagueness of many of its rules.
The new agency would be funded with $10 million from the state’s general fund and, Californians for Consumer Privacy says, it would hire about the same number of privacy enforcement staff as the Federal Trade Commission has for the entire U.S.—about 40 people. This agency brings California privacy regulation more in line with GDPR, which manages enforcement through a governmental agency in each participating country.
To perhaps prevent the need for CCPA 3.0, Californians for Consumer Privacy wrote into the proposed CPRA that the state legislature can only amend the law “in furtherance of [its] purpose and intent.” Any comprehensive changes would require another initiative.
How might CPRA affect brands and agencies?
With all these proposed amendments, will CPRA make life easier for brands and agencies doing business in California?
“Most brands are anxious about CPRA,” Podnar told RampUp. “Organizations must [now] adopt CCPA under the threatening eyes of enterprising class action lawyers, and around the corner they can see CPRA coming at them faster than they can take in the implications. While we will see push back, it will be a vocal minority.”
“Some businesses will be sighing [in relief], a bit,” she added, over such provisions as better definitions of who is liable for passing protected information.
“The majority of brands will incrementally adopt CPRA to stay on the right side of [the Attorney General’s office] and mitigate risks to the business. Shareholders don’t like uncertainty, and while CPRA is yet another challenge, postponing the inevitable won’t do these brands any favors and they know it.”
Podnar noted, “It would be great if CPRA set the stage for other states to adopt similar data protection regulation.” But, she said, CPRA is more likely to continue the “equivalent pattern of data breach laws, with each state adopting its own flavor and just different enough to pose challenges to compliance.”
Make the value exchange obvious and desirable
As a general practice, she said she expects marketers will conform to CPRA—since California is the biggest market, has such a large tech industry, and would have the most detailed privacy laws—and they would largely assume CPRA also covers other states’ requirements. If not, marketers can treat specific requirements in state laws, such as those in Nevada or Maine, as special cases.
This continuing wave of privacy laws, plus the continuing decline of third-party cookies, is pushing “ads toward brand [identity],’ said Advertising Research Foundation chief research officer Paul Donato.
That move toward brand-centric ads is a good direction, he added, because brands “are losing their halo.”
In other words, as loyalty and growth become more challenging, stricter privacy laws and the pending demise of the third-party cookie make clear a major goal for marketers: make a brand’s value exchange so obvious and desirable that consumers want to provide their information.