Stay ahead of the compliance curve by proactively prepping for the California Privacy Rights Act.
In 2018, the European Union passed the General Data Protection Regulation (GDPR), proving to businesses around the world that consumers are not going to stop demanding increased privacy rights.
Before the ink was even dry on the California Consumer Privacy Act (CCPA), privacy advocates were already working on its replacement, the California Privacy Rights Act, or CPRA.
And while the CCPA set the standard for modern US privacy law, CPRA raised the bar even higher. GDPR, CCPA, CPRA, CPPA…if you’re feeling swamped by acronyms, keep reading.
Here’s what’s new
CPRA has a lot of similarities to the CCPA, but there are some key differences in who the law applies to and how it’s enforced:
- CPRA changes its threshold for businesses. (Small business owners, rejoice!) It’s either:
- $25M in global revenue (this stays the same from CCPA 1.0)
- OR 100,000 consumer/household/device records (this is an increase from 50,000)
- Fines are automatically $7,500 for violations involving minors.
- Businesses are now restricted from selling and sharing data with third parties instead of just from selling data, closing a loophole that had been used to circumvent notification requirements.
- Businesses are responsible for how third-parties use, share, or sell personal information collected.
- Businesses are required to have an obvious “Do Not Sell or Share My Personal Information” button on their website.
- CPRA eliminates the 30-day cure period before businesses can be fined.
- Enforcement shifts from the California Attorney General (AG) to the newly created California Privacy Protection Agency (CPPA).
Differences for consumers
The whole point of CPRA is to clarify vague sections of the CCPA and expand the protections available to consumers, including:
- Expanding the categories of information eligible for private right of action after data breaches.
- Adding the right to correct inaccurate information companies have on them and the right to limit the use and disclosure of sensitive information to CCPA’s list of rights.
- Adding protections for sensitive personal information like SSNs, driver’s license numbers, biometric information, precise geolocation, and racial/ethnic information.
- Granting consumers the right to deny both the sale and the sharing of their information.
- Prohibiting businesses from profiling consumers in automated decision-making processes if they choose to opt-out of data collection/sharing.
What it all means
Some of these changes are a bigger deal than others.
Whether or not you collect 100,000 records a year is pretty black-and-white. So is adding specific types of personally-identifying information (SSNs, driver’s licenses, precise geolocation, etc.) to the already CCPA-protected categories (cookie numbers, browser history, employment-related information, psychometric data, IP addresses, etc).
Even more complicated is that you’re now responsible for how your third-party vendors use the information you’ve collected. This means you need to go back and not only review how you handle data, but how your vendors handle it as well.
Another major change that CPRA introduces is the creation of the California Consumer Protection Agency (CPPA). Instead of relying on the already unwieldy, overburdened AG office for enforcement, the CPPA will dedicate significant resources, of both the financial and manpower varieties, to handling civil actions and enforcement.
This increased oversight is a double-edged sword. On the one hand, businesses are likely going to be given very clear guidance to help them understand regulatory requirements. But on the other, companies can also expect robust auditing and enforcement, especially since CPRA adds liability if a data breach occurs and a consumer’s email address and either password or security question/answer is compromised.
Keep reading to learn how you can manage everything that is heading your way.
Here’s your to-do list
Check out our eight steps that can help you be CPRA-compliant.
1. Plan your compliance strategy
The biggest thing everyone has going for them is that CPRA doesn’t take effect until January 21, 2023. You have almost two full years to prepare and get your ducks in a row. Take advantage of it.
If you start working on it now, you have time to break your strategy into manageable pieces that won’t overwhelm your teams or your systems, letting them drink from a drinking fountain instead of a privacy firehose.
Starting now also allows you the opportunity to truly build a great program, one that is agile and goes beyond just compliance to truly establish you as a forward-thinking, consumer-focused leader.
2. It’s all hands on deck
A good privacy program doesn’t depend on IT for everything. You should incorporate every function in your organization, from HR to legal to operations to marketing, in the development and execution of your compliance program. Identify team members from different departments and form a committee that can help share the work.
3. Get what you need
If you’re already CCPA compliant, you’ll likely be able to complete this step by making small changes to your existing processes.
If you aren’t CCPA compliant yet, having a good compliance strategy is crucial to making this step work. Do you need to upgrade your IT infrastructure or buy new software? Do you need a consultant to help you understand the ins-and-outs of your responsibilities? Do your employees need to be trained (or re-trained)?
Don’t feel like you need to become a privacy guru or that you need to manage compliance on your own. Resources and professionals exist to help you, and starting now gives you time to find the ones that fit your needs and budget.
4. Organize your data
Once you have a strategy, a first-rate privacy team, and the tools you need, you’re ready to start the hard work. Hands down, the biggest challenge CPRA presents is creating an efficient data inventory and effective workflows for managing the individual rights requests that will inevitably come your way.
This is, in part, because CPRA has changed what constitutes sharing and selling data. If you have been sharing data with advertisers for a cross digital device or ad targeting, now you have to disclose that and give consumers a way to opt-out of it.
That means keeping close tabs on what you’ve got going on, datawise. You need to know what you’re selling and what you’re sharing because CPRA is un-blurring the lines between the two activities. The best strategy for data clarity? A thorough data mapping project. (See below for where to start.)
To do this well, you should complete (or update) your data mapping processes. Data mapping will expose any gaps you have in your data collection practices by showing you what type of data you are collecting, who you are collecting it from, where/how long it’s being stored, and who it’s being sold to or shared with. All of that information is critical to establishing and maintaining CPRA compliance.
Side note: Are you a sensitive data collector? Under CPRA, you need to have clear business purposes for using it. You need to know what you have because the restrictions and requirements around usage may differ. So double down on your data mapping efforts if this applies to you.
5. Understand individual rights
Again, if you’re already CCPA compliant, updating your processes to manage the new categories of sensitive personal information and the new timelines for request acknowledgment and resolution is totally doable.
If you’re starting from scratch, it’s still totally doable. It will just take a little more effort. CPRA requires you to be able to respond to individual requests from consumers who want to access, delete, or correct the data you have collected about them. Consumers have the right to opt-out of having their information shared or sold and to limit the use and disclosure of sensitive information.
To do all of that, your data collection needs to be specific and limited. Your data mapping needs to be spot on. And you need to have really solid processes (that you have really trained your employees on) for responding to these requests.
One of the best ways to manage individual rights requests is to build a one-stop privacy shop called a preferences center. A preferences center allows consumers to see your privacy notice, manage their data, and submit requests without having to scour your site map for your business practices and contact information. A well-designed preferences center also virtually guarantees that you are CPRA compliant.
6. Strengthen your security
Like CCPA, CPRA requires companies to take “reasonable security measures” to protect the data they collect. But CCPA didn’t give much guidance on what those security requirements needed to look like.
CPRA isn’t super specific either, but it does require that businesses whose processing presents a significant risk to sensitive information submit regular risk assessments and annual cybersecurity audits to the new CPPA. Taking the time to set up those processes ahead of time allows you the time you need to make sure they work and to fix any problems they find before CPRA is enforced.
CPRA’s stronger right of action and dedicated enforcement agency means it’s far more likely than ever before that bad actors won’t be the only ones on the business end of administrative actions. Even accidental mistakes can be costly, which is why you need to give yourself time to build a strong, proactive program. If you can demonstrate you’ve done your level best to comply, you’re far more likely to have regulators work with you if there is an issue.
7. Check your privacy notices
Complicated regulations that vary by location means standard cut-and-paste privacy notices just won’t cut it anymore. Additionally, the trend right now is to move away from dense, purposefully incomprehensible legalese toward customized, user-friendly privacy policies that clearly demonstrate what you are doing to protect your users.
And remember—CPRA requires your privacy notice to be front and center on your website.
8. Train, train, and train again.
Your compliance program is only as strong as your employees’ understanding of it. Even if you are CCPA compliant, your employees will still need to be retrained. If you start now, you’ll be able to do this training in small chunks over the next two years instead of dumping a giant new manual on your employees right before CPRA goes into effect and hoping no one makes a mistake.
Training can happen more than once a year. You don’t need to only block off two days for a privacy symposium. You can also set aside a few hours once a quarter, ten minutes in a weekly staff meeting, or five minutes to write a team email. It all adds up.
9. Go brag!
Okay. You have a compliance strategy that is being executed by a top-notch cross-functional team. Your consulting team has helped you get the right software to map your data and build effective processes for responding to individual rights requests. Your team has closed the loopholes they found after the risk assessment. You’ve got a preferences center and your employees could answer Double Jeopardy questions about your user-friendly privacy notice.
Now what?
Now you go tell people!
You’ve spent a lot of time and effort getting compliant, and you should be getting credit for it. Companies that have a proactive privacy program can use that as a differentiating factor, especially since an increasing number of consumers have proven they will switch companies or providers over data collection and sharing practices.
So instead of hiding your privacy notice, flaunt it by:
- Build an easy-to-understand section on your privacy program into your website.
- Including your commitment to consumer privacy in marketing you put out about other social justice initiatives.
- Write opinion pieces and guest posts about the intersection of privacy, e-commerce, and advertising.
- Establish yourself as a leader by having your privacy team create a presentation for business conferences and industry meetings on how you made privacy work.
- Train your customer service employees to bring up your commitment to privacy in their user interactions ala Southwest Airlines’ “We know you have a choice when flying. Thanks for flying with us” flight attendant speech.
Don’t get overwhelmed. Just get to work.
Rome wasn’t built in a day. Neither is a strong privacy program. Privacy compliance can feel overwhelming, especially when it changes every few years. But every step you take makes it less overwhelming, especially when you give yourself time to do it right.
Three years ago, companies across the globe were scrambling until the very last minute to get GDPR-compliant. Even with a two-year runup, GDPR was the first regulation of its kind and no one knew what they were doing.
That isn’t the case this time around. You can do it. And we can help.
Red Clover Advisors is here to keep you moving towards compliance. We can help you with whatever part of the process feels like too much.
Drop us a line today and let’s get started.