The state of California has passed the Consumer Privacy Rights Act. This legislation allows consumers to prevent businesses from sharing personal information and limits businesses’ use of personal information including precise geolocation, race, ethnicity, and health information.
It’s important to understand the Consumer Privacy Rights Act. California is a bellwether state. What happens in California may influence how other states enact consumer privacy laws. With that in mind, I have provided answers to some commonly asked questions.
What is the Consumer Privacy Rights Act?
The Consumer Privacy Rights Act (CPRA), also known as Proposition 24, is an update to the California Consumer Privacy Act (CCPA). The CPRA provides more safeguards and protections to consumer privacy.
What was the original California Consumer Privacy Act supposed to do?
The CCPA, which became law on January 2020, granted new rights to California consumers. The CCPA imposed requirements on how businesses collect, use, and disclose information about California residents. For instance, businesses subject to the CCPA must provide notice to consumers at or before data collection. Read more about the CCPA on our blog.
What does the Consumer Privacy Rights Act do?
The CPRA makes the CCPA stronger. Here are some specific features:
- Greater protection of California residents’ personal information, ranging from their location to their ethnicity.
- Tougher safeguards to protect minors’ information. For instance, the law requires businesses to include an opt-in requirement to sell the data of consumers under age 16.
- The establishment of a California Privacy Protection Agency to enforce the above requirements, which will be funded by up to $10 million per year.
Having an agency dedicated to CCPA will likely lead to more businesses in compliance and enforcement of penalties.
Does the Consumer Privacy Rights Act apply only to businesses in California?
The CPRA may apply to you no matter where you are located. If a California resident can access your website, compliance is required. This was true with the original CCPA as we blogged. Those requirements remain very much in force.
When does the Consumer Privacy Rights Act go into effect?
Most of its provisions will go into effect on January 1, 2023. Meanwhile, the CCPA remains in effect.
What should I do about this?
Do your homework now. Remember, the CCPA is the law – so it’s important to ensure compliance on an ongoing basis. At the same time, make sure you understand the additional provisions of the CPRA.
Understand the tightened requirements. For starters, double check the strength of your opt-ins and opt-outs. Do you have a process in place to quickly address privacy requests? Err on the side of being more conservative in consent for data capture.
Take a closer look at how the law defines personally identifiable information (PII). The definition is becoming more complex as privacy law evolves. Now is a good time to examine how you are using PII.
Make sure you have a clear snapshot of how you are doing business with California residents.
Consult with your advertising partners, including any ad tech firms you work with, to ensure they are compliant with the privacy law.
How do I ensure I am compliant?
A number of security firms provide compliance services. Unless you have a strong in-house security team, your best bet is to look for compliance help from a specialist. Also, here is a resource for additional insight:
“The CPRA Will Bring New Rights, Responsibilities and Regulators to California Data Privacy Law,” the National Law Review.
Contact True Interactive
To manage advertising online effectively, contact True Interactive. We’re here to help!