The California Privacy Act (CPRA) also known as proposition 24, improves the provision and enforcing of the California Consumer Privacy Act (CCPA), is scheduled to come into effect from Jan 1, 2023. On this date the directives will be implemented in terms of the rights and access to personal data collected by brands.
However, that does not relax CPRA compliance and does not let businesses be blind to CPRA as of now. The rights of a Californian customer when it comes to their personal information as and when collected by a business, as per CPRA are still some time away, however, it should not be forgotten that CCPA is still active.
In an effort to understand this better let us first take a note on who needs to comply with CPRA. The businesses that collect data on customers who are citizens of California and meet even one of the following thresholds as denoted by CPRA must comply. The following demarcate changes between CCPA and CPRA.
- CCPA: Businesses with gross revenues of more than $25 million.
- CPRA: As of the 1st of Jan of a year had gross revenue of more than $25 million in the previous calendar year.
- CCPA: Holds personal data for 50000 or more consumers or households and receives annually/buys/sells/shares this for commercial purposes.
- CPRA: The limit of 50000 is increased to 100000 and the ‘receives’ part is removed.
- CCPA: Gains 50% or more of its annual income from selling customer’s personal information.
- CPRA: Sharing is included in addition to selling.
Now let’s take a look at six compliance tips for the California Privacy Rights Act.
1. Data labeling and classification
You are already prepared and compliant with CCPA and also possess a good understanding of the data collected by your business which is being processed and could relate to an individual, household or device and is further classified as ‘personal data’, as per the CCPA.
However, the CPRA offers additional protection of classified sensitive personal information including a person’s social security, financial information, passport number, race or ethnic origin, geographical location, philosophical beliefs, religious sentiments, personal communication and genetic data which are not intended for business purposes as per CPRA section 1798.140(ae).
Businesses that already have information classification in place and personal information labeled as such can focus on filtering the sensitive personal information from the rest. At the same time, if a business is compliant with the European Union’s General Data Protection Regulation, you might have already identified most of the sensitive personal information your business has collected.
2. Contract revisiting
The CPRA has included a shift in liability for businesses for law violations by “third party” vendors or affiliates and includes new obligations in terms of contracts regarding these third party relationships. As per CPRA, third parties are not businesses with whom customers interact intentionally. They collect customer data from the companies to whom they are the service providers or contractors. This is why businesses need to create an inventory of the contractors and third parties as they enter into appropriate arrangements with them.
If you are a publisher, advertiser or technology company, you will need your business agreements updated and at par with the regulations. Things that businesses were indecisive about have been clarified in CPRA. Sharing personal information for “cross-textual behavioral advertising” is subject to the customers requesting to opt-out or not. This is as per CPRA section 1798.140(ah).
Some businesses already include an opt-out request that can be invoked by customers, personal information received or shared for cross-textual advertising purposes can be maintained. Many businesses have been able to avoid this by treating certain partners as service providers as defined by CCPA. CPRA removes this possibility by clearly defining that such partners do not count as service providers, under CPRA section 1798.140(e) (6).
You will need to review the existing contracts and create new ones for the partners to be re-classified. This is to make sure that the business partners can function as intended. This needs to be aimed at removing the limitations on use of data to avoid the unnecessary restrictions on the existing data and the addition of newer requirements to protect data in a more effective way.
3. Notice the HR and B2B data regulations
Employee and B2B communications were exempted by CCPA from the same personal data rights granted to Californian consumers until 1st Jan 2021, however CPRA extends that exemption to 1st Jan, 2023.
One of the biggest challenges for most organizations will be creating a compliance program for B2B and HR data. Most businesses were considering B2B and HR data to be of a lower priority, but now they need to blow the dust off their CCPA compliance programs and amend them to include B2B and HR data in preparation of the new CPRA regulations and its obligations.
4. Prepare to update privacy policies and notices
Businesses need to review aspects of their CCPA compliance programs and make the necessary changes to comply with CPRA. As an example, privacy notices will need new language and rights to be added like corrections. Also, contracts with service providers will need revisiting.
Businesses need to discuss, review and refresh the terms and conditions they share with their customers when they store and process the data with their permission. Brands also need to ensure a retention policy is adhered to as when CPRA is enforced, businesses face a risk of non-compliance when holding data for a long period. The data cannot be retained for just any business purpose, other than what was disclosed while the data was collected.
5. Categorize and audit your customer data
Key requirements of CPRA compliance need you to know what customer data you are collecting, how you are using it and if you are able to report on it or delete it on request. These may sound like simple things but they are are not. Not every business has the capability or transparency to identify their stock of customer data, and delete or extract it as and when required .
Businesses need to be familiar with the data and identify where it is being stored. They must also know how it is being stored internally and who has access to it. Make sure it is categorized for retrieval or removal related events. This may require end-to-end audits of sales and marketing. This will meet the demands of data reporting or deletion and make it easier and cheaper in response to the requests.
Clearly communicating with partners and vendors to understand their processes, kinds of categorization and data tagging will provide more consistent operations.
6. Minimize data
Rather than wait for regulations to apply and fix your business structure, find opportunities to accomplish the tasks with less data from customers. CPRA bars organizations from collecting more personal information than required to achieve the relevant business purpose. CPRA also states that a business should not retain a customer’s personal information for longer than it is necessary.
The organizations that collect customer data for their business processes have about two more years to prepare for CPRA compliance and, at the same time, it’s never a bad idea to get ahead of the competition. Businesses should start by assessing their marketing and data sharing strategies as the new legislation will pose new challenges.