The Consumer Privacy Rights Act: Advertiser Q&A

The Consumer Privacy Rights Act: Advertiser Q&A

by Tim Colucci Advertising

The state of California has passed the Consumer Privacy Rights Act. This legislation allows consumers to prevent businesses from sharing personal information and limits businesses’ use of personal information including precise geolocation, race, ethnicity, and health information.

It’s important to understand the Consumer Privacy Rights Act. California is a bellwether state. What happens in California may influence how other states enact consumer privacy laws. With that in mind, I have provided answers to some commonly asked questions.

What is the Consumer Privacy Rights Act?

The Consumer Privacy Rights Act (CPRA), also known as Proposition 24, is an update to the California Consumer Privacy Act (CCPA). The CPRA provides more safeguards and protections to consumer privacy.

What was the original California Consumer Privacy Act supposed to do?

The CCPA, which became law on January 2020, granted new rights to California consumers. The CCPA imposed requirements on how businesses collect, use, and disclose information about California residents. For instance, businesses subject to the CCPA must provide notice to consumers at or before data collection. Read more about the CCPA on our blog.

What does the Consumer Privacy Rights Act do?

The CPRA makes the CCPA stronger. Here are some specific features:

  • Greater protection of California residents’ personal information, ranging from their location to their ethnicity.
  • Tougher safeguards to protect minors’ information. For instance, the law requires businesses to include an opt-in requirement to sell the data of consumers under age 16.
  • The establishment of a California Privacy Protection Agency to enforce the above requirements, which will be funded by up to $10 million per year.

Having an agency dedicated to CCPA will likely lead to more businesses in compliance and enforcement of penalties.

Does the Consumer Privacy Rights Act apply only to businesses in California?

The CPRA may apply to you no matter where you are located. If a California resident can access your website, compliance is required. This was true with the original CCPA as we blogged. Those requirements remain very much in force.

When does the Consumer Privacy Rights Act go into effect?

Most of its provisions will go into effect on January 1, 2023. Meanwhile, the CCPA remains in effect.

What should I do about this?

Do your homework now. Remember, the CCPA is the law – so it’s important to ensure compliance on an ongoing basis. At the same time, make sure you understand the additional provisions of the CPRA.

Understand the tightened requirements. For starters, double check the strength of your opt-ins and opt-outs. Do you have a process in place to quickly address privacy requests? Err on the side of being more conservative in consent for data capture.

Take a closer look at how the law defines personally identifiable information (PII). The definition is becoming more complex as privacy law evolves. Now is a good time to examine how you are using PII.

Make sure you have a clear snapshot of how you are doing business with California residents.

Consult with your advertising partners, including any ad tech firms you work with, to ensure they are compliant with the privacy law.

How do I ensure I am compliant?

A number of security firms provide compliance services. Unless you have a strong in-house security team, your best bet is to look for compliance help from a specialist. Also, here is a resource for additional insight:

The CPRA Will Bring New Rights, Responsibilities and Regulators to California Data Privacy Law,” the National Law Review.

Contact True Interactive

To manage advertising online effectively, contact True Interactive. We’re here to help!

What Is the California Consumer Privacy Act (CCPA)? Advertiser Q&A

What Is the California Consumer Privacy Act (CCPA)? Advertiser Q&A

by Tim Colucci Marketing

The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020. The forthcoming law symbolizes how consumer privacy is increasingly taking center stage among governmental bodies in the United States. Preliminary estimates suggest it will cost businesses $467 million to $16.5 billion to comply in coming years.

At this point, it’s safe to say that every major advertiser is aware of the CCPA. But it’s not always easy to understand exactly what this omnibus legislation is all about. So we’re going to answer some question that we’ve been getting. Check it out – the CCPA might apply to you whether or not you do business in California, so it’s important to understand it:

What Is the CCPA?

The CCPA is new legislation designed to enhance privacy rights of California residents. With a population of nearly 40 million, California is considered a bellwether state. Many privacy experts are watching the CCPA closely because of its potential impact on how privacy is legislated across the United States.

How Does the CCPA Enhance the Privacy Rights of California Residents?

The CCPA grants new rights to California consumers, per the CCPA website:

  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
  • The right to delete personal information held by businesses and by extension, a business’s service provider;
  • The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

What Does the CCPA Require of Businesses?

In a single sentence: the CCPA imposes requirements on how businesses collect, use, and disclose information about California residents.

But the legislation is dense and difficult to untangle. Per the CCPA website, businesses must fulfill these obligations:

  • Businesses subject to the CCPA must provide notice to consumers at or before data collection.
  • Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete.
    • For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website  or mobile app.
  • Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
    • As proposed by the draft regulations, businesses must treat user-enabled privacy settings that  signal a consumer’s choice to opt-out as a validly submitted opt-out request.
  • Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
    • As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
  • As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
  • As proposed by the draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
    • In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.

In coming months, what’s likely going to happen is that businesses will learn through trial and error. Stay tuned. And learn from the inevitable violations that are bound to make the news.

Who Must Comply with the CCPA?

Companies doing business in California subject to the CCPA if one or more of the following are true:

  • Has gross annual revenues in excess of $25 million.
  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
  • Derives 50 percent or more of annual revenues from selling consumers’ personal information.

I’m Not Based in California. Do I Need to Worry about the CCPA?

The conditions stipulated above may indeed apply to you if you are outside California. For instance, if you are buying, receiving, or selling the personal information of 50,000 or more consumers, households, or devices in California, CCPA may apply to you regardless of where you are located. Read this insight for more detail.

What Is the Penalty for Noncompliance?

Businesses may be fined up to $7,500 for violation. Businesses could also face civil damages of up to $750 per violation, per user. The key phrase here is “per user.” A major violation could cost a business millions.

Will More States Enact This Kind of Legislation?

They already are. Nevada has enacted its own version of the CCPA already. Here is more information on how other states are enacting privacy legislation.

How Do I Ensure I Am Compliant?

A number of security firms provide compliance services. Unless you have a strong in-house security team, your best bet is to look for compliance help from a specialist.

Contact True Interactive

To manage advertising online effectively, contact True Interactive. We’re here to help!

Photo by Glenn Carstens-Peters on Unsplash