MOVE OVER, CCPA: THE REALITIES OF VOTING “YES” FOR PROP 24
Published on November 20, 2020
As Americans headed to the polls earlier this month to determine the country’s political future, US privacy advocates and marketers knew that other matters were equally at stake: all eyes were on California.
Proposition 24, otherwise known as the California Privacy Rights and Enforcement Act of 2020 (CPRA), sought out to expand and amend the guidelines stipulated in the earlier passed 2018 California Consumer Privacy Act. Offering some of the most stringent privacy frameworks in the country at the time, the CCPA officially came into effect on January 1st of this year. Yet, less than a year on, privacy experts had pointed out critical flaws and loopholes which, in turn, the CPRA seeks to remedy.
Much like its predecessor, the CPRA holds significant, widespread implications not only for the state but for the country, given California’s size. No business—domestic or international—would be spared from its passing, largely setting a precedent for what a regulatory baseline ought to look like should the United States adopt a far-reaching federal privacy law.
The result? A resounding yes with 9,126,914 ballots cast in favour of the proposition, accounting for approximately 56 percent of all voters in the state. And yet, reception has been mixed since the start with the Electronic Frontier Foundation—a renowned non-profit digital rights group—neither voicing support nor denouncing the CPRA altogether. Instead, the EFF described it as “a mixed bag of partial steps backwards and forwards”.
What does this mean for you? Well, let’s unpack the CPRA, how it’s impacted the existing state privacy legislations, and what you need to keep in mind in the lead-up to its full enactment in 2023.
So, what’s changed? Here’s a handy primer.
The timeline: If you’re feeling overwhelmed, we don’t blame you—after all, the CCPA only first came into effect this past January and now there’s a new framework!? However, the CPRA provides a two year gap between “notional adoption” and “implementation”, giving brands the opportunity to revisit their existing data collection and management practices. This means that while the Act will only come into effect on January 1, 2023—with the exception of the right of access—will only apply to personal information collected by a business on or after January 1, 2022.
The change in definitions: Most notably, the CPRA introduces a new definition of what constitutes as “sensitive personal information”. Beyond typical sensitive identifiers such as financial information and government-issued identifiers, this now also includes account log-in credentials, biometrics, genetic and health data, ethnic or racial origin, religious beliefs, and information about a person’s sex life or their sexual orientation. Most of all, precise geolocation is also part of this data class, marking a critical roadblock for companies engaging in audience targeting practices.
The limitations of use: Under the CPRA, consumers have additional rights to opt-out and request that businesses limit the use of their personal data. Here, consumers can stipulate that their personal information is only used when absolutely necessary to perform a service, provide requested goods, or as prescribed by law. Should a business use a consumer’s sensitive personal information for any purpose other than what they’ve consented to, they have the responsibility to inform consumers.
The clearer channels for opting out: Businesses also have the obligation to ensure that consumers can easily limit the sale, sharing, and use of their sensitive personal information by providing a clear link on their webpages to “limit the use of [my] sensitive personal information” as well as one that allows a consumer to opt-out of the sale or sharing of personal information. Businesses must respect any indication that a consumer has chosen to opt-out.
The new authority: Say hello to the California Privacy Protection Agency, the United States’ first agency exclusively dedicated to preserving consumer privacy rights. Governed by a five-member board selected for its expertise in areas of consumer rights, privacy, and technology, the CPPA would have the ability to issue administrative fines of up to US$2,500 per violation or up to $7,500 per intentional violation or violations involving minors, while also enforcing auditing requirements. The CPPA would also be tasked with boosting awareness of consumer privacy rights, offering guidance to businesses and individuals alike. This is a significant change from the original provisions set forth in the CCPA which had originally left authority in the hands of the California Attorney General’s Office.
The difference between sale or share: One of the most pointed criticisms of the CCPA was its “Do Not Sell” clause in its definition of what constitutes as the “sale” of personal information when today’s digital landscape predominantly operates on the basis of data “sharing”. When data is passed on across a network of adtech and martech vendors, it is more so shared than sold—this practice, of course, informs the process of cross-contextual behavioural advertising and audience targeting. With data sharing now falling under the remit of a “Do Not Sell or Share” clause, marketers should continue to invest in exploring solutions that no longer rest on third-party data while ensuring that publisher partners are vetted on a rolling basis to validate whether data is obtained ethically.
The enforcement: The CCPA previously offered a generous 30-day “cure period”. This meant that upon being notified of non-compliance by the California Attorney General, businesses had the ability to address the alleged non-compliance without penalty. Far less generous than its predecessor, the CPRA no longer provides this 30-day grace period before businesses can potentially be fined.
A critical starting point
The changes certainly are significant, many of which bear implications for marketers as much as small business owners that will once again need to re-evaluate existing practises and place some spend behind data compliance efforts. While Californians have voted yes, the framework has not been without its share of criticism from rights groups and non-profit organisations across the country who’ve cited concerns that the CPRA encourages businesses to put a premium on privacy.
But for the most part, we’d argue that the CPRA is a step in the right direction as it comes to gradually mirror the European Union’s General Data Protection Regulation—arguably the gold standard in data protection frameworks today. From its reporting requirements and an overall ethos of data minimisation, the CPRA presents a valuable look into what consumers really care about today when it comes to their data: more control.
Data protection and data compliance is an investment in itself but the cost of ultimately putting your consumers first is priceless. With data as the lifeblood of today’s digital marketing ecosystem, we owe it to our consumers to treat their data well. Now confronted with a confluence of milestones—be it the eventual enactment of CPRA or the ever-looming cookiepocalypse—the realities of a far-more privacy-centric digital landscape are becoming clearer than ever.
For one, we need better infrastructures—those that already incorporate privacy-by-design and consent mechanisms—in order to reduce the barriers to compliance. As the industry gradually moves away from third-party data, we also need more collaboration: it’s only through a unified ecosystem of brands, platforms, and publishers can we hope to see a more compliant ecosystem, anchored by first-party data.
Think of the CPRA as a wake-up call: take a closer look at what you’re doing today and what you can do better.