CCPA, GDPR, and other regulations have given enough safety nets to consumers concerning data privacy protection, especially in handling their data. California Privacy Rights Act, 2020, also known as the CPRA, is effective from January 1, 2023. CPRA is fully enforceable from July 1, 2023, and is an amendment to the existing CCPA (California Consumer Privacy Act, 2018) but not a replacement of the CCPA.

With emerging technology, the need for the emergence of new laws to regulate data arises. And the emerging data privacy regulations will bring doldrums to businesses & marketers as they are unsure how it will impact their existing operations.

Before we dive in to understand the complexities of the new data privacy law, the CPRA and how it impacts businesses & marketing teams,  let us know what the law says.

CPRA 2020: Coming into effect from 2023

CPRA – California Privacy Rights Act 2020, which has come into effect from January 1, 2023, is fully enforceable only from July 1, 2023. However, all businesses should follow the regulations mentioned in the CPRA, in addition to the existing CCPA regulations, from January 1, 2023.

Timeline for CCPA:

Below is the detailed timeline of how CCPA evolved

Starting it’s journey in 2019, CCPA evolved itself and has come into full force in January 2023.

California Consumer Privacy Act (CCPA), 2018: 

The voters of California approved CCPA in 2018 to safeguard their personal information and incorporate:

• The right to know what information about them is collected by businesses and how it is used & shared
• The right to get personal information about them deleted
• The right to prohibit businesses from selling or sharing users’ personal information
• The right to not be discriminated against, just because they are exercising their CCPA rights.

CCPA mandates that these rights are for all California residents, even if they are outside California temporarily. And it applies to all for-profit businesses that carry out business operations in California or drive more than or equal to 50% of their AR (annual revenue) from selling California residents’ personal information, or buying, selling, or receiving personal information of more than or equal to one hundred thousand California residents.

CCPA Vs CPRA

There is hype created among businesses across the world that CPRA is a new law that comes into effect in resemblance to the GDPR. However, it is an amendment to the current California Consumer Privacy Act (CCPA).

It is clarified by the Office of the Attorney General, that they refer to CPRA as “CCPA” or “CCPA, as amended.” The Attorney General’s office was held responsible for enforcing CCPA earlier until December 2020. 

The two extra rights CPRA provides in addition to the existing rights provided by CCPA are:

• Right to Correct Inaccurate Personal Information
• Right to Limit Use of Sensitive Personal Information

CPRA will establish California Privacy Protection Agency (CPPA). CPPA is vested with the full administrative power, authority, and jurisdiction to enforce CPRA. CPPA takes control from the Office of the Attorney General to administer & enforce CCPA.

CPRA has added a new term – Sensitive Personal Information, in addition to Personal Information in CCPA. This move is seen as an inspiration of CPRA from the EU’s GDPR. It is also an example to show that CPRA incorporates GDPR-like provisions, moving a step further into a privacy-compliant world.

Impact of CPRA:

Marketers who were collecting user data from third-party and second-party sources will face consequences due to the new CCPA. However, the right to opt-out does not regulate non-personalized advertising. CPRA mentions that businesses which run non-personalized advertising shall not build a customer profile.

The above image is a screenshot from the Official CCPA, as amended, document. CPRA mentions that no business can sell or share the personal information of opted-out consumers. In addition, it mentions – “no business shall combine the personal information of opted-out users with that of the personal information they receive from a third party or second party”. So that businesses do not build a customer profile using personally identifiable information (PII).

Under the new CPRA, businesses are restricted to sell, buy, or share customer data with other parties to build customer profiles. This means CPRA discourages the use of second-party and third-party data. The California Privacy Rights Act (CPRA) does not impose restrictions on businesses that collect customer data with the customer’s consent for behavioral advertising purposes. CPRA encourages businesses to rely solely on first-party data, instead of second-party and third-party data. 

CPRA encourages the use of First-party data for Behavioral Advertising.

By focusing on first-party data, businesses can promote transparency and build stronger relationships with their customers. 

Do you want to go a step further? Collect Zero-party data! – Read our crisp blog on what is Zero-party data & how it is crucial to marketers.

CPRA also provides for what is the meaning of cross-context behavioral advertising, and it means:

The Way-Forward:

Every business should collect data in compliance with the CPRA guidelines and adhere to all the regulations mentioned. Here is what businesses should do:

• Collect: Organizations should collect the information only to the extent needed and with consent for the specific purpose.
• Use: Use the data only for the purpose for which it collects. If it wishes to use it for other purposes, the consent of the users is again necessary.
• Retention: Data should be stored only for a reasonable period, and you should inform the users of the duration for which the data is stored.
• Refrain from disclosing or sharing data: Organizations should refrain from selling, disclosing, or sharing Sensitive Personal Information, for specific secondary purposes, with any other party.
• Audit & Assessment: Organizations should audit their systems regularly at defined intervals to ensure data is secured and there are no breaches. Businesses should also conduct risk assessments to understand the strength of their cybersecurity frameworks and submit it to CPPA.

How your business can comply with CCPA:

As a data-driven digital marketer, collection & analysis of data is of high importance to understand user behavior and run high-performing ad campaigns. With GDPR and CCPA-like regulations emerging, you must turn to a fully privacy-compliant CDP like CustomerLabs. Trust us to collect and seamlessly integrate your real-time data with ad platforms. A step towards CustomerLabs will ensure your data is safe and secure in compliance with all data privacy regulations.

Our systems are highly secured and collect user-behavior data transparently. We have advanced technology that hashes the data before syncing it with the ad platforms such as Google, Facebook, etc. Thus, we are compliant with data privacy regulations across the world. While we offer comprehensive 360-degree customer profiling, we still maintain user privacy without disclosing personal information and Sensitive Personal Information.

Key Takeaways:

• CPRA is an amendment to the existing CCPA, taking it a step closer to a GDPR-like law that offers more privacy to users.
• Users of California now enjoy two more rights in addition to the rights they enjoyed until 2022.
• California Privacy Protection Agency (CPPA) will be the sole authority with full administrative power & jurisdiction to implement and enforce the CCPA.
• Businesses & marketers should embrace the changes and adapt to the future of marketing.
• Understand your consumers better in compliance with the data-privacy regulations across the globe.
• Collect consumer data in compliance with data privacy regulations.
• Protect consumer privacy while offering personalization.
• Adopt First-party data strategies.

Wanna know in detail about CCPA? Read-on – View the CCPA document (PDF)