CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
September 21, 2022
Marketing in the era of data privacy requires your team to keep up to date with the latest regulations. Being aware of your requirements in advance will set you up for success when complying with data privacy laws — no matter how new, strict, or complex they may be.
Right now, the most pressing data privacy law for marketers to be familiar with is the California Privacy Rights Act (CPRA).
This act goes into effect on January 1, 2023, and it’s an updated, amended version of California’s current data privacy law, the California Consumer Privacy Act (CCPA). Sometimes referred to as “CCPA 2.0,” the CPRA greatly expands and modifies the current law by introducing new consumer privacy rights, incorporating more stringent business regulations, establishing a new government agency, and more.
With the new law kicking off on New Year’s Day, there are only a few more months to learn the ropes so that your team can be prepared. In this blog, we’ll discuss what marketers need to know to be prepared for the CPRA.
While the CPRA has many requirements that expand on the CCPA, marketers only really need to be familiar with four:
Let’s dive into the major implications of these changes.
Under the CCPA, businesses had to provide website visitors a means of opting out of the sale of their personal information, typically through a button reading "Do Not Sell My Personal Information" on the homepage. The CCPA defined selling quite broadly, but many activities still fell outside of its scope.
The CPRA fixed that issue by additionally regulating the share of personal information. Here’s how it defines sharing personal information:
“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. (1798.140.ah) — CPRA
Now, businesses need to provide a link on their homepage reading “Do Not Sell or Share My Personal Information.” Notably, this link should enable your website visitors to opt-out of cross-context behavioral advertising — that’s one of those activities that wasn’t fully covered in the CCPA.
Cross-context behavioral advertising, commonly referred to as targeted advertising, is the tracking of an individual’s activities across websites, applications, and services to identify and present advertisements tailored to their behavior. Typically, this involves the use of third-party cookies. Under the CPRA, visitors who withdraw their consent to the sale or share of their personal information cannot be tracked for the purposes of targeted advertising.
To comply with this, marketers must find a way to manage website visitors’ consent or lack of consent to the sale or sharing of personal information. They need to provide a “Do Not Sell or Share My Personal Information” link, record the website visitors’ preference, and block or allow the data collection mechanisms on their website accordingly. A new software category has emerged to help businesses accomplish these and other compliance tasks: consent management platforms, or CMPs.
With the CPRA comes the introduction of “sensitive personal information” or sensitive data. This type of data includes a user’s:
Now, consumers will have the right to limit the use of the data mentioned above. As a result, you need to have a prominent link or button (titled “Limit the Use of My Sensitive Personal Information”) on your homepage so that users can request that you restrict the disclosure of their sensitive data. Essentially, if a user clicks this link or button, you can only use their sensitive personal information if it's strictly necessary for the website to function.
Under the CCPA, businesses were required to notify users if they wanted to use previously collected personal information for a different purpose other than what the purpose for which it was initially collected. The CPRA limits this practice by codifying a data privacy principle known as purpose limitation.
Essentially, the collection and use of personal information must be necessary and proportionate to fulfill a specific purpose (for example, collecting a user’s billing information when conducting an ecommerce transaction). While it may be acceptable to use personal information for another purpose so long as the consumer is notified, the CPRA indicates that the new purpose must be “compatible with the context in which the personal information was collected.” The law goes on to state that data must not be “further processed in a manner that is incompatible with those purposes.”
The California Privacy Protection Agency (CPPA — a new enforcement agency created by the CPRA) is currently making rules to clarify what makes a purpose compatible or incompatible, so it is best to use caution if you’re contemplating any other use for your consumers’ personal information.
Compared to the CPRA, the CCPA had limited regulatory impact on vendors and other contractual counterparties. Only certain counterparties needed to have contractual provisions that ensured they handled personal information appropriately, while others were exempt or not mentioned whatsoever.
So, how has this changed in the CPRA and what does that mean for marketers?
The CPRA supplies definitions for the vast majority of contractual counterparties that a marketer might interact with — specifically, the law regulates agreements with contractors, service providers, and third parties. The CPRA defines these groups based on how they receive personal information, as follows:
For marketers, the important thing to know is that anytime you share or sell data to one of these three entities, you need to add specific contractual provisions to your agreement with them.
The good news, however, is that if you have these contracts in place, then the personal information you sell or share to service providers or contractors isn’t subject to the consumer’s consent. The required contracts for those entities limit how they can use personal information; third parties have more flexibility in how they use personal information, so they are subject to consumer opt-outs.
Marketers who practice privacy-first marketing can find a balance between actionable data and privacy compliance. Understanding how data privacy works allows marketers to collect data ethically — and prevent compliance penalties, ruffling consumer feathers, or damaging their organization’s reputation.
To help you find this balance, you need a structured, organized way of collecting and keeping track of data; one that makes sense across your organization’s internal systems. Keeping information streamlined and tidy improves your ability to market your brand well (and alleviates risk).
Osano’s Data Discovery tool helps you find, classify, and evaluate your data across your organization’s data stores. Schedule a demo with us today so your team has peace of mind when the CPRA comes into play.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.