Understanding More About California Privacy Rights Act (CPRA) And How It Can Impact Brands and Marketers

Passed in November 2020, CPRA (California Privacy Rights Act) is a new data privacy regulation in California. The act will officially go into effect from January 2023, and here is what brands and marketers should know about it.

CPRA was passed roughly three years after the California Consumer Privacy Act (CCPA) was enacted. CPRA was built to address a few provisions that its predecessor CCPA lacked. The new legislation was about to pass in the 2018 ballot but was replaced by less restrictive law.

Marketers are facing a lot of data privacy issues these days. We understand marketing in this era of data privacy will require your team to keep up-to-date with these regulations. Knowing these requirements in advance will help you succeed in your endeavors while complying with the laws.

As consumers all around the world think that data collection brings more risks than benefits, they have become vocal about their expectations from the companies.

Key Things Marketers must know about CPRA

Most of the marketers are aware of the rules laid in CCPA but CPRA has many requirements that expand beyond the scope of the previous regulation. However, marketers must know the following four of them.

  1. CPRA regulates both the sale and sharing of personal information.
  2. We have a new category of personal information bifurcated as sensitive personal information, and all online businesses must include a link on their homepage that enables users to limit its use.
  3. The CPRA limits businesses to use the personal information of the users as they have described in their privacy policy.
  4. Agreements, if any, with vendors, contractors, or third parties will need special provisions describing how they can use the personal information sent to them.

Let us check the major Implications of these changes here in detail.

Sharing and selling personal information are regulated

Under CCPA, businesses have to provide visitors a means to opt out of the sale of their personal information. However, the term ‘sell’ was broadly defined under CCPA and many activities fell outside the scope of it.

Fortunately, CRPA has fixed this issue by further regulating the share of personal information. Under CRPA, businesses must provide a link on their home page reading “Do not sell or share My Personal Information”. The link should enable users to opt out of cross-context behavioral advertising.

To comply with this rule, marketers must find a way to either get consent or lack consent to the sale or sharing of their personal information. As a result, a new software category has emerged to help businesses accomplish these compliance tasks – consent management platforms or CMPs.

Marketing Technology News: Interview with Sean Adams, Global Insights Director at Brand Metrics Featuring Jade Power, Director of Digital Monetisation at National World

Sensitive personal information has a new category

CRPA has come forward introducing ‘sensitive personal information’ and this type of data can include health conditions, ethnicity or racial origin, citizenship status, geolocation, email content, financial information, religious beliefs, social security and other forms of ID, and so on.

With CRPA in place, consumers now have the right to limit the use of their personal information. To get this sorted, businesses must have a prominent link or button on the homepage so that users can request to restrict the disclosure of their sensitive data.

Marketers must make sure that the privacy team knows the way to use sensitive personal information.

Limitations on data collection and processing

Earlier under CCPA, businesses were just required to notify users if they wanted to use any previously collected information for a different purpose other than the purpose for which the data was initially collected.

Now with CRPA, the practice has been limited by codifying a new data privacy principle known as purpose limitation. Under this rule, the collection and use of personal information must be proportionate to fulfill a specific purpose. However, it is acceptable to use the personal information of the user as far as the user is notified of the same, but the new purpose should be compatible with the context in which the personal information was collected.

The most important point for marketers is that they must disclose the purpose of collecting personal data in the first place. It can be a major change for those marketers who are collecting ample data from website visitors and prospects.

Wrapping up – maintaining compliance

The marketers already practicing privacy-first marketing can easily find a balance between actionable data and privacy compliance. A better understanding of how data privacy works will allow marketers to collect data ethically – and prevent compliance penalties or damaging the organization’s reputation.

To achieve this, marketers need a comprehensive and structured plan to collect and keep track of the data that makes sense across all their organization’s internal systems.

Marketing Technology News: Harness the Potential of Connectivity for Enhanced B2B Interaction

BONUS READ: 

GTM Fundamentals for 2023 with MarTechSeries and Demandbase; Chris Moody, Head of GTM Strategy and Thought Leadership at Demandbase shares proven tips and best practices. Download now!

Picture of MTS Staff Writer

MTS Staff Writer

MarTech Series (MTS) is a business publication dedicated to helping marketers get more from marketing technology through in-depth journalism, expert author blogs and research reports.

You Might Also Like