What does the California Privacy Rights Act (CPRA) mean for the future of your privacy program?

November 5, 2020

On Election Day 2020, Californian’s voted in favor of Proposition 24, or California Privacy Rights Act (CPRA), a ballot initiative put forward by the same group behind CCPA: California for Consumer Privacy. What does the passage of Prop 24 mean for advertising operations and the data privacy space? In short: more controls for consumers over their data and clearer terms of enforcement. 

US data privacy will likely continue to evolve on a state-by-state basis. Even in California, consumer advocates are divided on whether CPRA is the right way to protect privacy rights. Advocates of Prop 24 believe CPRA will strengthen CCPA and shift national standards closer to precedents set by the EU’s GDPR. We break down a few key components that could bring significant changes to your privacy compliance program.

More controls, more buttons

The CPRA defines a number of new concepts that come with new requirements for providing data processing notices and opt-out controls. Similar to existing rights to disclosure and erasure of data, expanded rights require publishers to provide two or more methods for consumers to submit opt-out requests. Here are a few extra links you might be adding:

“Do Not Share My Personal Information”:

An update to the current “Do Not Sell My Personal Information” messages that allow Californians to opt-out of the sale of their data, the CPRA will require notices and the ability to opt out of personal information being shared between third parties for personalized advertising. 

“Limit the Use of My Sensitive Personal Information”:

Consumers will have the right to restrict processing of certain categories of information labeled as sensitive, such as geo-location data.

“Correct My Information”:

This clause updates the existing right to request information be deleted with the right to correct inaccurate personal information. 

Establishing a dedicated privacy enforcement agency 

In addition to new rules, the CPRA establishes new rule-enforcers in the form of a state agency dedicated to implementing and enforcing the CCPA: the California Privacy Protection Agency. They will be tasked with performing regular audits and providing guidance to businesses as to their level of compliance. Similar to the EU GDPR’s regulatory body, the CPPA will have agency to investigate business and exact penalties based on complaints of violations. 

Raising the stakes for high risk data

Businesses whose “processing of consumers’ personal information presents significant risk to consumers’ privacy or security” will be required to submit annual cybersecurity audits to the California Privacy Protection Agency. All businesses will need to submit risk assessments that consider how their data processing may present risk to consumers’ personal securities. 

While existing CCPA legislation allows for a “cure” period in the aftermath of a data breach, the CPRA clarifies that businesses have to do a lot more than disclosure to avoid a private suit. Fines for breaches involving children’s data will also be more intense, as much as three times as high.   

Managing opt-outs in a shifting landscape

Though the CPRA will not enter into force until January 2023, it will have a “look back” to January 2022. Many of CPRA’s details still need to be clarified, and it will be a while before we know what compliance looks like. However, it doesn’t hurt to start preparing.

Managing various degrees of consent is something businesses with experience navigating GDPR already know will get complicated fast. Consider implementing a solution to capture and syndicate consumer privacy preferences. A consent management platform (CMP)  like Sourcepoint provides the technology to capture consumer opt-outs and communicate consumer preferences to the rest of the ecosystem.   

Given the heightened consequences for breaches and non-compliance, you’ll want to start introducing protocol for regular privacy risk assessment. Bringing in a dedicated privacy officer, if possible, is also something to consider.

The debates around CPRA indicate that privacy regulations in not only California but all over the US will continue to evolve. In a shifting landscape, it’s more important than ever to pay close attention to changing regulations and evaluate your current processes and technology against what can help you meet compliance requirements.  

Latest Blog Posts

What is Global Privacy Control? Frequently Asked Questions

July 15, 2021

Global Privacy Control (GPC) wants to make it easier...

For publishers: 5 tips for optimizing your vendor assessment process

July 13, 2021

The shift to more transparent data practices continues to...

A little privacy: week of July 5

July 9, 2021

Colorado signs privacy act into law and Biden signs...

Latest White Papers

Keep in touch

Sign up for our newsletter to keep up with the latest privacy and media news.

Let's explore what we can do together.

We’ll be in touch within 48 hours

    First name *

    Last name *

    Email address *

    Company *

    Message *

    * indicates required fields