Californians recently had the chance to vote on Proposition 24, also known as the Consumer Privacy Rights Act (CPRA). Broadly speaking, it’s meant to expand the preexisting California Consumer Privacy Act (CCPA) and give consumers more control over how companies use their data. It also eliminates the ability of those companies to fix violations before being penalized and establishes the California Privacy Protection Agency (CPPA).
While some advocates believe it’s a significant step in the right direction, critics believe Proposition 24 doesn’t go far enough in a state that’s home to tech giants like Facebook, Google and Apple. It passed despite any shortcomings, however. While the law won’t be fully implemented until January 1, 2023, it will retroactively apply to any data collected a year earlier while the CPPA will immediately begin its oversight and enforcement—a daunting task no doubt.
What does it all mean? What effects will the Consumer Privacy Rights Act have on the marketing industry? How can agencies like Mindgruve and their clients adapt to the CPRA? Many of these answers are detailed below.
The Basics of the CPRA
- It reclassifies certain sensitive data into a subcategory of personal information. One threshold for compliance increased from processing 50,000 records of personal information to 100,000 per year. But companies may still meet it if their overall gross revenue exceeds $25 million.
- It expands the right to opt-out of the “Sale” of information by adding “Sharing” of information and how it’s done so downstream. A “Sale” is the exchange of personal information for valuable consideration. “Sharing” is when personal information is leveraged for cross-contextual advertising, regardless of value. This will likely have a noticeable impact as it specifically calls out “cross-context behavioral advertising.”
- It applies more safeguards to minors. Fines related to an intentional violation are subject to three times the amount up to $7,500.
- The legislature cannot amend the law to weaken it, only strengthen it. Otherwise, it requires a new ballot initiative. It also restricts lobbying measures to dilute privacy protection.
- It establishes the CPPA to immediately provide oversight, education, additional regulations and more while enforcing the law via administrative proceedings. Expect a high level of activity as this is a wholly dedicated and well-funded body.
- There are additional provisions for reporting data breaches. While there aren’t additional requirements, the CPRA clarifies that a breach cannot be “cured” after the fact by implementing security. It also eliminates the obligatory “cure” period for non-breach violations.
- There are additional rights to correct inaccurate data retention. This includes (1) the right to request rectification of inaccurate info; (2) the right to restrict the use of sensitive personal info [including precise geolocation (within 1850-ft radius)]; (3) the right to opt-out of “Sharing.”
Possible Impacts of the CPRA on the Marketing Industry
- Google, Facebook, Apple and others will not be able to use third-party data as frequently, which could negatively impact their targeting and retargeting efforts. They will, however, benefit from larger market shares as smaller third parties will be impacted by (1) the elimination of third-party cookie tracking by browsers; (2) the consumer’s right to opt-out of “Sale/Share;” (3) the use-restriction on sensitive personal information. Market participants that have first-party relationships with consumers will be in a better position to negotiate the terms of privacy rights.
- The continued rise of “pay for privacy,” which is the practice of charging or rewarding consumers based on their data sharing preferences. This dates back to the adoption of the CCPA. Companies offer financial incentives to consumers for the collection, selling, sharing and retention of their personal information. They may also offer different rates or provide different qualities of goods or services if the difference is equitable to the value of the consumer’s data.
- A forthcoming federal law. Many privacy laws in other states, which are similar to the CPRA and Europe’s General Data Protection Regulation (GDPR), have been renewed. This may even be a priority under the new administration, especially with Vice President-elect Kamala Harris who was a major privacy proponent when she served as California’s Attorney General.
- Publishers with direct relationships could benefit, which may trigger a shift back to contextual and/or endemic buys.
- Global opt-outs, which will be explored via regulations and likely apply to “Do Not Share” requests currently. The previous concern was that “Do Not Track” was not the same and made the system ineffective.
How Mindgruve Will Respond to the CPRA
- Educate clients and their customers.
- Prepare for increased minutiae from the ad tech industry on rules, regulations and terms.
- Increase focus on data governance. It is likely that every website will need an “Opt-Out/Opt-In” section of the home page or a pop-up module while also responding to global requests by a browser and device setting. This is obviously complicated and could depend on how Google and Facebook respond. Additional must-haves for websites could include but aren’t limited to the California Privacy Right Notice, a “Do Not Sell or Share My Personal Information” option, a “Limit the Use of My Personal Information” option and financial incentive disclosures. There must be a process for opt-outs, too, which will have to clearly state how protected information is being used, how to update it and what affects it has on a consumer’s activities.
- Flag controversial interpretations of CPRA and how it’s applied to third-party cookie providers. Partners that don’t meet compliance standards will be dealt with directly.
- Adhere to stricter design practices, including the continued avoidance of dark patterns. A dark pattern is a misleading or otherwise deceptive UI/UX that attempts to exploit human psychology and force consumers to do what they might not want to.
- Adapt media buying and targeting practices. Automated targeting and bidding might be watered down while contextual and endemic buys could become more effective in comparison.
While the CPRA is a complex law with a variety of implications, it’s important to remember that its backbone is still an “opt-out” process and very few people at present are doing so. It’s also obviously restricted to California. Considering these factors, we don’t believe there will be a major or immediate impact on results. In fact, studies show that consumers under the GDPR provide consent more than 95% of the time.
As browser extensions and global device opt outs continue to proliferate, however, there might be a more significant shift by 2023.
Talk to your lawyers about current legislation, how it might expand in the future and what it could mean for your marketing efforts. For more information in the meantime, please contact us.
For more information on the CCPA, check out our post: Data, Privacy & The Marketer’s Dilemma.