Marketing & the CPRA: What do you need to know?

Marketing in the era of data privacy requires your team to keep up to date with the latest regulations. Being aware of your requirements in advance will set you up for success when complying with data privacy laws — no matter how new, strict, or complex they may be.

Right now, the most pressing data privacy law for marketers to be familiar with is the California Privacy Rights Act (CPRA).

This act goes into effect on January 1, 2023, and it’s an updated, amended version of California’s current data privacy law, the California Consumer Privacy Act (CCPA). Sometimes referred to as “CCPA 2.0,” the CPRA greatly expands and modifies the current law by introducing new consumer privacy rights, incorporating more stringent business regulations, establishing a new government agency, and more.

With the new law kicking off on New Year’s Day, there are only a few more months to learn the ropes so that your team can be prepared. In this blog, we’ll discuss what marketers need to know to be prepared for the CPRA.

Marketing and the CPRA: The updates you should know about

While the CPRA has many requirements that expand on the CCPA, marketers only really need to be familiar with four:

1. The CPRA regulates both the sale and sharing of personal information, while the CCPA only regulated the sale of personal information.
2. Sensitive personal information is a new category of personal information, and businesses need to include a link on their homepage that enables visitors to limit its use.
3. The CPRA explicitly limits you to using personal information in the way you describe in your privacy policy.
4. Any agreements you have in place with vendors, third parties, and contractors need special provisions that describe how they can use the personal information you send them.

Let’s dive into the major implications of these changes.

Both sharing and selling personal information are regulated

Under the CCPA, businesses had to provide website visitors a means of opting out of the sale of their personal information, typically through a button reading "Do Not Sell My Personal Information" on the homepage. The CCPA defined selling quite broadly, but many activities still fell outside of its scope.

The CPRA fixed that issue by additionally regulating the share of personal information. Here’s how it defines sharing personal information:

“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. (1798.140.ah) — CPRA

Now, businesses need to provide a link on their homepage reading “Do Not Sell or Share My Personal Information.” Notably, this link should enable your website visitors to opt-out of cross-context behavioral advertising — that’s one of those activities that wasn’t fully covered in the CCPA.

Cross-context behavioral advertising, commonly referred to as targeted advertising, is the tracking of an individual’s activities across websites, applications, and services to identify and present advertisements tailored to their behavior. Typically, this involves the use of third-party cookies. Under the CPRA, visitors who withdraw their consent to the sale or share of their personal information cannot be tracked for the purposes of targeted advertising.

To comply with this, marketers must find a way to manage website visitors’ consent or lack of consent to the sale or sharing of personal information. They need to provide a “Do Not Sell or Share My Personal Information” link, record the website visitors’ preference, and block or allow the data collection mechanisms on their website accordingly. A new software category has emerged to help businesses accomplish these and other compliance tasks: consent management platforms, or CMPs.

A new category: Sensitive personal information

With the CPRA comes the introduction of “sensitive personal information” or sensitive data. This type of data includes a user’s:

• Ethnicity/racial origin
• Health conditions or diagnoses
• Sexual orientation
• Citizenship status
• Genetic/biometric information
• Geolocation
• Email content
• Financial information
• Social security and other forms of ID
• Religious beliefs

Now, consumers will have the right to limit the use of the data mentioned above. As a result, you need to have a prominent link or button (titled “Limit the Use of My Sensitive Personal Information”) on your homepage so that users can request that you restrict the disclosure of their sensitive data. Essentially, if a user clicks this link or button, you can only use their sensitive personal information if it's strictly necessary for the website to function.

You should also make sure your privacy team knows how you use sensitive personal information, if needed, and that this use is outlined in your privacy policy.

Limit data collection and processing to a specific purpose

Under the CCPA, businesses were required to notify users if they wanted to use previously collected personal information for a different purpose other than what the purpose for which it was initially collected. The CPRA limits this practice by codifying a data privacy principle known as purpose limitation.

Essentially, the collection and use of personal information must be necessary and proportionate to fulfill a specific purpose (for example, collecting a user’s billing information when conducting an ecommerce transaction). While it may be acceptable to use personal information for another purpose so long as the consumer is notified, the CPRA indicates that the new purpose must be “compatible with the context in which the personal information was collected.” The law goes on to state that data must not be “further processed in a manner that is incompatible with those purposes.”

The California Privacy Protection Agency (CPPA — a new enforcement agency created by the CPRA) is currently making rules to clarify what makes a purpose compatible or incompatible, so it is best to use caution if you’re contemplating any other use for your consumers’ personal information.

Importantly, businesses need to disclose what their purpose is to the user at the point of collection. Commonly, businesses include this information in their privacy policy and provide a link to the privacy policy whenever they collect personal information.

For marketers who are used to collecting loads of data on website visitors and prospects, this can be a major change. It’s essential that marketers collaborate with their colleagues in the legal and/or privacy space to craft a privacy policy that enables them to collect and process data in a way that lets them do their jobs effectively.

New requirements for third parties, service providers, and contractors

Compared to the CPRA, the CCPA had limited regulatory impact on vendors and other contractual counterparties. Only certain counterparties needed to have contractual provisions that ensured they handled personal information appropriately, while others were exempt or not mentioned whatsoever.

So, how has this changed in the CPRA and what does that mean for marketers?

The CPRA supplies definitions for the vast majority of contractual counterparties that a marketer might interact with — specifically, the law regulates agreements with contractors, service providers, and third parties. The CPRA defines these groups based on how they receive personal information, as follows:

• Contractors are entities to which contractors make available personal information. They receive personal information to inform how they fulfill their duties but don’t necessarily do anything to the information. An accounting firm that processes invoices, for example, might be a contractor.
• Service providers are entities that process personal information for the business. Making use of, manipulating, and handling personal information is somehow central to the service they provide. An agency that reviews personal information to craft a marketing persona might be considered a service provider in this regard.
• A third party is any other entity that isn’t a contractor, isn’t a service provider, and doesn’t interact with the consumer.

For marketers, the important thing to know is that anytime you share or sell data to one of these three entities, you need to add specific contractual provisions to your agreement with them.

Generally speaking, those provisions require third parties, service providers, or contractors to take several steps toward protecting your consumers’ personal information and treating it with respect. That includes things like sticking to the purpose limitation outlined in your privacy policy, allowing you to monitor their data processing activities, allowing you to take steps to stop unauthorized use of personal information, and more. There are a lot of specifics to keep in mind, so make sure you consult with your legal counsel when entering into an agreement with a vendor or any other parties.

The good news, however, is that if you have these contracts in place, then the personal information you sell or share to service providers or contractors isn’t subject to the consumer’s consent. The required contracts for those entities limit how they can use personal information; third parties have more flexibility in how they use personal information, so they are subject to consumer opt-outs.

Maintain compliance without worry or hassle

Marketers who practice privacy-first marketing can find a balance between actionable data and privacy compliance. Understanding how data privacy works allows marketers to collect data ethically — and prevent compliance penalties, ruffling consumer feathers, or damaging their organization’s reputation.

To help you find this balance, you need a structured, organized way of collecting and keeping track of data; one that makes sense across your organization’s internal systems. Keeping information streamlined and tidy improves your ability to market your brand well (and alleviates risk).

Osano’s Data Discovery tool helps you find, classify, and evaluate your data across your organization’s data stores. Schedule a demo with us today so your team has peace of mind when the CPRA comes into play.