In case you hadn't heard already, California voters passed Proposition 24 last week, which is the California Privacy Rights and Enforcement Act (CPRA). The act builds upon the California Consumer Privacy Act (CCPA), which went live earlier this year. The new CPRA is scheduled to replace that in 2023.
The author here asked a number of digital marketers and technology companies to provide concrete advice for brands, publishers, and advertisers in terms of preparing for CPRA. This is just a brief summary of some of the advice, and you should definitely head over to the article to get the full lowdown on CPRA preparation:
This is Kristina Podnar, who is a digital policy consultant & author:
|"Introduce/Increase transparency. CPRA introduces a slew of new requirements around data uses aimed at increased transparency. This will be a bit of a GDPR throwback for marketers who went through adaptation for that regulation. But for any marketer not yet subject to GDPR, this will be a tough hill to climb. Businesses should start paying attention to data privacy by design and governance practices. Specifically, pay attention to data minimization. In other words, only collect the information you need to do the things you say you will do for the user, tell the user how long you will keep their data, don't extend beyond that timeframe for your own marketing needs, and only do with the data what you told the user you will do with it. Marketers will need to start paying attention to what data they collect, why they collect it, and how they manage that data throughout its lifecycle."|
|"Be CCPA compliant. Since CPRA will not take effect until 2023, focus on being CCPA compliant in the immediate future (if you're not already). In many cases, CPRA expands on what is covered by CCPA, so compliance here will still be a step in the right direction. It should be noted that all regulations covered within CPRA will be applied to all data collected from January 1st, 2022 onwards. Sharing = Selling. Under CCPA, some brands (e.g., Starbucks) explicitly stated that they did not view the sharing of data as selling. This is now clearly defined, and brands should be mindful of all data-sharing points."|
|"Review your ability to categorize data you collect, process or store. There's lots more nuance in CPRA about how user data is categorized, and processors -- including marketers -- need to be able to treat different categories of personal information discreetly. An obvious example is the introduction of sensitive personal information (SPI). CPRA allows users to designate that their SPI be used only for the essential delivery of a good or service. This requires finer-grained control for data flows in backend systems."|