The California Privacy and Enforcement Act has been in effect for two years, but don’t delay preparation.
Last week, California voters passed Proposition 24, the California Conservation and Privacy Act (CPRA). It is based on the California Consumer Privacy Act (CCPA), which only came into effect this year. CPRA will replace him in 2023.
CPRA extends data types (all data is “shared” with third parties); it also describes specific categories of sensitive personal information that require special attention. It enables consumers (and employees) to deny ‘automatic decision-making technology’ (machine learning). And create a dedicated oversight body to ensure compliance.
We asked a number of marketers and technology companies to provide concrete advice to brands, publishers, and advertisers on what they can or should do to prepare for CPRA. Our experts include Cillian Kieran, CEO of Ethics; Simon Poulton, Vice President of Digital Intelligence at Wpromote; Kristina Podnar, digital policy advisor; Gowthaman Ragothaman, CEO of Aqilliz; and Heidi Bullock, CEO of Tealium.
Kristina Podnar, Digital Policy Advisor and Author
Set / increase transparency. CPRA introduces a number of new data usage requirements for greater transparency. This is little feedback for marketers who have undergone policy changes. But for any marketer who has not yet been covered by the AVG, it is a difficult hill to climb. Businesses need to address the privacy of data through design and management practices. Pay particular attention to data minimization. In other words, collect only the information you need to do the things you tell the user, tell the user how long you will keep the data, and do not exceed the deadline to increase your marketing needs, which you also already do. Marketers will need to pay attention to the data they collect, why they collect it and how they deal with it during their life cycle.
Show what you can and cannot control. Most digital marketing professionals are not aware of the advances in AI and ML in the marketing industry and focus only on front-end functionality and the desired result of the customer experience. This will have to change as a result of the CPRA, which now recognizes the need for more regulation around this machine-driven force. Marketers should now notify users when creating profiles and using ads and promotions with these features. Businesses need to adapt to discover and sell the different devices, channels, and businesses that apply today. Why? Because CPRA users can now say, “I don’t like myself that much”. This should remove the “banded” noise from the user’s point of view. However, this will complicate marketers and more businesses will migrate to a zero and primary data model.
Stop checking users. In connection with the foregoing, the activities of CPRA specifically restrict the use of users in behavioral advertising. In other words, marketers should be transparent and users should no longer use passive products or services (eg marketers should not use obscure standards to obtain agreement/consent). The task here is to reconsider merchants in all licensing structures, including CMPs, to avoid obscure standards and implied permissions that are everywhere today.
Simon Poulton, Vice President Digital Intelligence Promotion
Respect the CCPA. As the CPRA will only come into effect in 2023, it is necessary (if not) to focus on the foreseeable future of the CCPA. In many cases, the CPRA is expanding under the CCPA, so compliance here will be another step in the right direction. It should be noted that all regulations covered by the CPRA apply to all data collected from 1 January 2022.
Share = sell. According to the CCPA, some brands (e.g. Starbucks) have explicitly stated that they do not consider sharing data as sales. This is now clearly defined and brands need to consider all points for data sharing.
Make an inventory of your cookies. If you have not already done so, this is a great time to review all the cookies and data sharing features on your website and catalog what they do. Your legal team will probably ask you sooner or later. Cillian Kieran, Founder and CEO of Ética
Evaluate your ability to classify the data collected, processed, or stored. There are many other nuances in CPRA about how user data is classified, and processors, including marketers, should be able to handle different categories of personal information discreetly. A clear example is the introduction of confidential personal information (SPI). With CPRA, users can indicate that their SPI is only used for the essential provision of a good or service. This requires precise control of the data flow in the rear systems.
Write down all contracts, whether you are the contractor or the contractor. CPRA requires a much greater degree of specificity regarding data relationships with partners. Any subcontractor employed by a CPRA affiliated company must also be able to provide privacy protection at the CPRA level. For IAPP: “Third parties, service providers or contractors [must] enter into an agreement whereby the recipient maintains the same level of privacy protection as required by law, which gives the company the right to take reasonable and appropriate steps to ensure that it was taken and that the recipient notifies the company if they can no longer meet