What does the California Privacy Rights Act (CPRA) mean for the future of your privacy program?

In 2020, Californians passed the California Privacy Rights Act (CPRA), an initiative put forward by the same group behind CCPA: California for Consumer Privacy. What does CPRA mean for advertising operations and the data privacy space? In short: more controls for consumers over their data and clearer terms of enforcement. 

US data privacy will likely continue to evolve on a state-by-state basis. Even in California, consumer advocates are divided on whether CPRA is the right way to protect privacy rights. Advocates of CPRA believe it will strengthen CCPA and shift national standards closer to precedents set by the EU’s GDPR. We break down a few key components that could bring significant changes to your privacy compliance program.

More controls, more buttons

The CPRA defines a number of new concepts that come with new requirements for providing data processing notices and opt-out controls. Similar to existing rights to disclosure and erasure of data, expanded rights require publishers to provide two or more methods for consumers to submit opt-out requests. Here are a few extra links you might be adding:

“Do Not Share My Personal Information”:

An update to the current “Do Not Sell My Personal Information” messages that allow Californians to opt-out of the sale of their data, the CPRA will require notices and the ability to opt out of personal information being shared between third parties for personalized advertising. 

“Limit the Use of My Sensitive Personal Information”:

Consumers will have the right to restrict processing of certain categories of information labeled as sensitive, such as geo-location data.

“Correct My Information”:

This clause updates the existing right to request information be deleted with the right to correct inaccurate personal information. 

Establishing a dedicated privacy enforcement agency 

In addition to new rules, the CPRA establishes new rule-enforcers in the form of a state agency dedicated to implementing and enforcing the CCPA: the California Privacy Protection Agency. They will be tasked with performing regular audits and providing guidance to businesses as to their level of compliance. Similar to the EU GDPR’s regulatory body, the CPPA will have agency to investigate business and exact penalties based on complaints of violations. 

Raising the stakes for high risk data

Businesses whose “processing of consumers’ personal information presents significant risk to consumers’ privacy or security” will be required to submit annual cybersecurity audits to the California Privacy Protection Agency. All businesses will need to submit risk assessments that consider how their data processing may present risk to consumers’ personal securities. 

While existing CCPA legislation allows for a “cure” period in the aftermath of a data breach, the CPRA clarifies that businesses have to do a lot more than disclosure to avoid a private suit. Fines for breaches involving children’s data will also be more intense, as much as three times as high.   

Managing opt-outs in a shifting landscape

Though the CPRA will not enter into force until January 2023, it will have a “look back” to January 2022. Many of CPRA’s details still need to be clarified, and it will be a while before we know what compliance looks like. However, it doesn’t hurt to start preparing.

Managing various degrees of consent is something businesses with experience navigating GDPR already know will get complicated fast. Consider implementing a solution to capture and syndicate consumer privacy preferences. A consent management platform (CMP)  like Sourcepoint provides the technology to capture consumer opt-outs and communicate consumer preferences to the rest of the ecosystem.   

Given the heightened consequences for breaches and non-compliance, you’ll want to start introducing protocol for regular privacy risk assessment. Bringing in a dedicated privacy officer, if possible, is also something to consider.

The debates around CPRA indicate that privacy regulations in not only California but all over the US will continue to evolve. In a shifting landscape, it’s more important than ever to pay close attention to changing regulations and evaluate your current processes and technology against what can help you meet compliance requirements.