Concrete steps marketers should take now to get ready for CA’s CPRA in 2023
The California Privacy Rights and Enforcement Act won't take effect for two more years, but don't wait to prepare.
Last week California voters passed Proposition 24, the California Privacy Rights and Enforcement Act (CPRA). It builds upon the California Consumer Privacy Act (CCPA), which only went into effect this year. CPRA is slated to replace it in 2023.
Among other things, CPRA expands the types of data covered (any data “shared” with third parties); it also spells out specific categories of sensitive personal information that require special attention. It enables consumers (and employees) to opt-out of “automated decision making technology” (machine learning). And it creates a dedicated enforcement agency to ensure compliance.
We asked a number of digital marketers and technology companies to offer concrete advice for brands, publishers and advertisers about what they could or should do now to prepare for CPRA. Our experts included Cillian Kieran, Ethyca CEO; Simon Poulton, VP of Digital Intelligence at Wpromote; Kristina Podnar, Digital Policy Consultant; Gowthaman Ragothaman, CEO of Aqilliz; and Heidi Bullock, CMO at Tealium.
Kristina Podnar, Digital Policy Consultant & Author
Introduce/Increase transparency. CPRA introduces a slew of new requirements around data uses aimed at increased transparency. This will be a bit of a GDPR throwback for marketers who went through adaptation for that regulation. But for any marketer not yet subject to GDPR, this will be a tough hill to climb. Businesses should start paying attention to data privacy by design and governance practices. Specifically, pay attention to data minimization. In other words, only collect the information you need to do the things you say you will do for the user, tell the user how long you will keep their data, don’t extend beyond that timeframe for your own marketing needs, and only do with the data what you told the user you will do with it. Marketers will need to start paying attention to what data they collect, why they collect it, and how they manage that data throughout its lifecycle.
Show what you do and don’t control. Most digital marketers are oblivious to the AI and ML advances in the marketing stack, focusing only on the front-end functionality and desired customer experience outcome. That will need to change as a result of CPRA, which now recognizes the need for increased regulation around this machine-driven capability. Marketers will now need to tell users if they are profiling them and serving up advertisements and promotions using these capabilities. Businesses need to adjust for the cross-device, cross-channel, cross-business tracking and selling that is in place today. Why? Because under CPRA users can now say “don’t track me in that way.” This should remove the “creepy” noise from the marketing system from a user perspective. However it will certainly make it tougher for marketers and cause more business to move to a zero and first party data model.
Stop controlling users. Related to the above, CPRA specifically limits businesses from engaging users in any cross-context behavior advertising. In other words, marketers need to be transparent and can no longer push users towards services or products in a passive way (e.g., marketers can’t use dark patterns for collecting agreement/consent). The task here is for marketers to rethink consent structures, including CMPs, to avoid dark patterns and implied consents that are ubiquitous today.
Simon Poulton, VP of Digital Intelligence at Wpromote
Be CCPA compliant. Since CPRA will not take effect until 2023, focus on being CCPA compliant in the immediate future (if you’re not already). In many cases, CPRA expands on what is covered by CCPA, so compliance here will still be a step in the right direction. It should be noted that all regulations covered within CPRA will be applied to all data collected from January 1st, 2022 onwards.
Sharing = Selling. Under CCPA, some brands (e.g., Starbucks) explicitly stated that they did not view the sharing of data as selling. This is now clearly defined, and brands should be mindful of all data-sharing points.
Inventory your cookies. If you haven’t already, now is a great time to review all of the cookies and data-sharing functions that exist on your website and catalog what they do. It’s likely your legal teams will need to review these sooner rather than later.
Cillian Kieran, Founder and CEO of Ethyca
Review your ability to categorize data you collect, process or store. There’s lots more nuance in CPRA about how user data is categorized, and processors — including marketers — need to be able to treat different categories of personal information discreetly. An obvious example is the introduction of sensitive personal information (SPI). CPRA allows users to designate that their SPI be used only for the essential delivery of a good or service. This requires finer-grained control for data flows in backend systems.
Review all contracts , whether you’re the contractor or contractee. CPRA requires a much greater level of specificity regarding your data relationships with partners. Any subcontractor used by a CPRA-bound business must also be able to offer CPRA-level privacy protections. Per IAPP, “Third parties, service providers or contractors [must] enter into an agreement binding the recipient to the same level of privacy protection as provided by the act, granting the business rights to take reasonable and appropriate steps to remediate unauthorized use, and requiring the recipient to notify the business if can no longer comply.”
We’ll leave you with one that’s, on the surface, a bit simpler (although you’ll need to spend plenty of time re-examining data “sales” vs data “sharing”). That “Do Not Sell My Personal Information” link you placed on the homepage, tweak it to read: “Do Not Sell Or Share My Personal Information.”
Gowthaman Ragothaman, CEO at Aqilliz
Leaving third-party data — for good. A significant revision in the CPRA pertains to the amendment to the CCPA’s “Do Not Sell” clause which now covers the practice of data sharing, often leveraged as part of cross-site behavioral advertising and audience targeting.
For marketers and big tech firms alike, who are already beginning to grapple with the impending obsolescence of third-party cookies, this should come as no surprise. At this stage, marketers should already be exploring alternatives to limit the use of third-party data for audience targeting. Investing in strategic partnerships with publisher networks that have gone on to develop first-party data pools of their own or joining data federations will be essential. Marketers must also adequately vet publisher partners to ensure that data is being obtained in a conspicuous, ethical manner.
Keeping count. Similar to the European Union’s General Data Protection Regulation, CPRA demands far more stringent reporting requirements, mirroring the GDPR’s clause on the Record of Processing Activities. Firms will be responsible to disclose all the information collected about a given consumer, directly or indirectly, irrespective of where data sharing took place.
In light of this, marketers should be prepared to bolster existing tech investments to incorporate record-keeping tools. Now, more than ever, due diligence will be key. Having a historical record of the data throughout its entire lifecycle, will be crucial in ensuring that marketers are sufficiently prepared for the more rigorous reporting and disclosure required under CPRA.
Focusing on what’s necessary, rather than what’s nice to have. The CPRA has also widened the scope of what it defines as “sensitive personal information.” Beyond financial account information such as credit card numbers and government-issued identifiers, this now also expands to include racial or ethnic origin, sexual orientation, religious beliefs, and perhaps most significantly, “precise geolocation,” which is key for audience targeting. Under the CPRA, consumers will now have the ability to limit both the use and disclosure of sensitive personal information.
As marketers look to the future of audience segmentation and targeting efforts, significant changes will need to be made. Though the industry has historically reveled in a mindset of data abundance, marketers will need to make a crucial shift in thinking by taking data minimization to heart. In order to ensure adequate data minimization practices, businesses should not only reexamine their data retention practices for appropriate retention times, but also consider integrating data, storage, and purpose minimization into their data management strategies. Opt-out options for the collection and use of sensitive personal information should also be included. Audience engagement strategies will need to be re-defined and to go a step further. Tech vendors and infrastructures should also now be selected on the basis of better enabling a culture of data minimization.
Heidi Bullock, CMO at Tealium
Understand your data alongside consent. Brands need to know the exact content and source of their data, especially as we face a future filled with myriad new regulations. This includes pinpointing the types of data being collected — from call center to email and website data — and how that data flows across the company. Other factors to consider include, where the data originates, how it’s stored and how it’s being used by the brand.
Update brand policies. It’s good to revisit CCPA policies and ensure all processes are updated to adhere to the newest regulations, including the CPRA’s new right to correction. Ensuring that policies still align with and are clear for employees and consumers helps maintain an overarching understanding of privacy across the brand.
Maintain consumer trust. This is pivotal, especially since these regulations are in the best interest of consumers. A recent Tealium study found that, pre-COVID, 91% of consumers wanted the state or federal government to adopt strict regulations to protect their data.
Acknowledge new governance concepts. CPRA now limits the time brands can hold onto personal information in a new storage limitation requirement, so it’s important to consider this timeline when collecting, utilizing or sharing consumer data to ensure it remains within a reasonable window. The ability to govern data at an individual level in an automated, real-time manner will be critical for companies to comply with these new concepts.
Designate a privacy expert. As more and more regulations surface, it becomes crucial for brands to assign tasks internally to remain both accountable and organized. Internal processes are just as important as consumer-facing communications. Privacy experts with deep understanding for Martech are now more needed than ever, as the complexity of Martech alone kept companies busy beforehand.