Alex Krylov & Perry Piep
Since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, millions of consumers have exercised their California privacy rights. To complicate matters, the expanded and more extensive California Privacy Rights Act (CPRA) will enter in January 2023 — along with state-specific privacy laws enacted by Virginia, Colorado, Utah, and Connecticut. As state and federal regulations make their way to the forefront, all signs point to the same call-to-action: Invest in privacy now.
DataGrail teamed up with IAPP for a webinar to unpack the CPRA and help privacy teams understand where they should focus efforts heading into 2023.
Sarah Gatti, Corporate Counsel at Drift.com, said it best: “CPRA emphasizes that companies need to have a privacy and data awareness program internally — it needs to become an ethic.”
Here are our top 4 predictions for what CRPA will mean for your business and how you can best prepare.
Prediction 1: Consumers take action
Prediction: Consumers will continue to exercise their rights under the CPRA and through other tangential means available to them, regardless of residence.
Recommendation: Make trust a brand differentiator. California proved that consumers will make their voices heard — at the voting booth and with their wallets.
The numbers say it all: Data subject requests doubled from 2020 to 2021 with the introduction of CCPA. But requests aren’t the only way consumers are exercising their rights. Marketing opt-outs, spam complaints, browser and device privacy settings, declining cookies, turning to privacy-focused browsers and VPNs, and using ad and script blockers are all examples of the ways consumers are taking back their identity.
Companies that use trust as a brand differentiator will reap the financial benefits. “If personal data is the currency of the digital economy, then how you treat that data is going to directly influence how you’re perceived in the marketplace,” said Alex Krylov, Senior Privacy Advocate at DataGrail.
Prediction 2: California-style protections become standard
Prediction: With the introduction of overlapping and nuanced requirements coming in 2023 – under the CPRA and the other state laws – companies will refocus on the fundamentals and aim to open California-style rights to all Americans.
Recommendation: Chasing compliance checkboxes won’t cut it. Returning to common, universal basics of a privacy program will be key.
A privacy program starts with understanding your business, tech stack, partner and vendor relationships. Don’t forget all the humans whose data is in your or your service providers’ care.
When it comes to your website visitors, check your analytics and ad (re)targeting configurations, and confirm cookie consent management settings. The reasons for which you “share” data with a third-party tech provider may be subject to the CPRA’s broadened opt-out rights.
For your mobile and website users, check if you truly need the data you’re collecting. The CPRA brings European-style proportionality principles to the U.S.: If you cannot justify collecting or sharing personal information, let alone sensitive personal information, don’t.
Prediction 3: New agency will hold businesses accountable
Prediction: The California Privacy Protection Agency (CPPA), responsible for enforcing the CPRA, will tackle low-hanging fruit first.
Recommendation: Monitor the CPPA closely. Their draft regulations and statement of intent will serve as precursors for what they’re likely to address first.
The CPPA is tasked with rulemaking and guidance — plus they have the power to audit, issue cure-or-else violation notices, and levy administrative fines.
There’s plenty for them to start acting on, from inadequate privacy statements to broken “My Privacy Choices” links. But don’t be surprised to see landmark actions in relation to “dark patterns” and other highly subjective issues the Agency needs to contend with.
There are still open questions around how the Agency will work together with the California Attorney General (AG), responsible for CCPA. As separate enforcement powers, they will need to coordinate their actions to prevent over-penalizing erring businesses. It helps that they seem to share common views on practices like objecting to businesses requiring consumers to create an account to opt-out of data “sales”.
Prediction 4: Federal policy or not, privacy remains king
Prediction: When it comes to a federal privacy law, we don’t expect to see congressional miracles in 2023.
Recommendation: Treat your consumers as if they are subject to the highest levels of compliance.
Impasse and inaction by the legislative and executive branches of government will only further undermine the U.S.’s standing abroad. Should efforts like the American Data Privacy and Protection Act (ADPPA) or similar proposals fail to pass, now is still the right time to start building trust.
“We treat everyone as if they are subject to the GDPR. And we have tools embedded in the product that enable our customers to operate as if everyone they’re talking to is subject to the GDPR,” said Gatti.
Build a future-proof privacy program
Privacy is about building and maintaining trust. Protect the personal data in your care, preserve privacy rights, and iterate your privacy program to align with principles enshrined by the GDPR and CPRA: transparency, proportionality, personal agency, and accountability.
Stay Compliant with DataGrail
The CPRA will enforce a wide array of changes to privacy for California residents and bring U.S. privacy regulations closer in line with the GDPR. With new requirements for opt-out, audit and risk assessments, and consumer requests, the CPRA will greatly impact privacy practices for small and large businesses alike.
Most provisions of the California Privacy Rights Act will become operative at the beginning of 2023. Are you concerned about the coming changes and keeping your business compliant? If so, you need DataGrail.
At DataGrail, we know that making sense of all the complicated state, federal, and international privacy laws that your business has to adhere to isn’t easy. For example, if you have questions such as, “What is GDPR?” we’ve got you covered! We built our innovative data privacy platform so that businesses of all kinds have an easy-to-use resource for managing, automating, and keeping your data privacy programs compliant.