Marketing and the CPRA: The updates you should know aboutWhile the CPRA has many requirements that expand on the CCPA, marketers only really need to be familiar with four:
- The CPRA regulates both the sale and sharing of personal information, while the CCPA only regulated the sale of personal information.
- Sensitive personal information is a new category of personal information, and businesses need to include a link on their homepage that enables visitors to limit its use.
- Any agreements you have in place with vendors, third parties, and contractors need special provisions that describe how they can use the personal information you send them.
Let’s dive into the major implications of these changes.
Both sharing and selling personal information are regulatedUnder the CCPA, businesses had to provide website visitors a means of opting out of the sale of their personal information, typically through a button reading "Do Not Sell My Personal Information" on the homepage. The CCPA defined selling quite broadly, but many activities still fell outside of its scope.
The CPRA fixed that issue by additionally regulating the share of personal information. Here’s how it defines sharing personal information:
“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. (1798.140.ah) — CPRA
Now, businesses need to provide a link on their homepage reading “Do Not Sell or Share My Personal Information.” Notably, this link should enable your website visitors to opt-out of cross-context behavioral advertising — that’s one of those activities that wasn’t fully covered in the CCPA.
Cross-context behavioral advertising, commonly referred to as targeted advertising, is the tracking of an individual’s activities across websites, applications, and services to identify and present advertisements tailored to their behavior. Typically, this involves the use of third-party cookies. Under the CPRA, visitors who withdraw their consent to the sale or share of their personal information cannot be tracked for the purposes of targeted advertising.
To comply with this, marketers must find a way to manage website visitors’ consent or lack of consent to the sale or sharing of personal information. They need to provide a “Do Not Sell or Share My Personal Information” link, record the website visitors’ preference, and block or allow the data collection mechanisms on their website accordingly. A new software category has emerged to help businesses accomplish these and other compliance tasks: consent management platforms, or CMPs.
A new category: Sensitive personal informationWith the CPRA comes the introduction of “sensitive personal information” or sensitive data. This type of data includes a user’s:
- Ethnicity/racial origin
- Health conditions or diagnoses
- Sexual orientation
- Citizenship status
- Genetic/biometric information
- Email content
- Financial information
- Social security and other forms of ID
- Religious beliefs
Now, consumers will have the right to limit the use of the data mentioned above. As a result, you need to have a prominent link or button (titled “Limit the Use of My Sensitive Personal Information”) on your homepage so that users can request that you restrict the disclosure of their sensitive data. Essentially, if a user clicks this link or button, you can only use their sensitive personal information if it's strictly necessary for the website to function.
Limit data collection and processing to a specific purposeUnder the CCPA, businesses were required to notify users if they wanted to use previously collected personal information for a different purpose other than what the purpose for which it was initially collected. The CPRA limits this practice by codifying a data privacy principle known as purpose limitation.
Essentially, the collection and use of personal information must be necessary and proportionate to fulfill a specific purpose (for example, collecting a user’s billing information when conducting an ecommerce transaction). While it may be acceptable to use personal information for another purpose so long as the consumer is notified, the CPRA indicates that the new purpose must be “compatible with the context in which the personal information was collected.” The law goes on to state that data must not be “further processed in a manner that is incompatible with those purposes.”
The California Privacy Protection Agency (CPPA — a new enforcement agency created by the CPRA) is currently making rules to clarify what makes a purpose compatible or incompatible, so it is best to use caution if you’re contemplating any other use for your consumers’ personal information.
New requirements for third parties, service providers, and contractorsCompared to the CPRA, the CCPA had limited regulatory impact on vendors and other contractual counterparties. Only certain counterparties needed to have contractual provisions that ensured they handled personal information appropriately, while others were exempt or not mentioned whatsoever.
So, how has this changed in the CPRA and what does that mean for marketers?
The CPRA supplies definitions for the vast majority of contractual counterparties that a marketer might interact with — specifically, the law regulates agreements with contractors, service providers, and third parties. The CPRA defines these groups based on how they receive personal information, as follows:
- Contractors are entities to which contractors make available personal information. They receive personal information to inform how they fulfill their duties but don’t necessarily do anything to the information. An accounting firm that processes invoices, for example, might be a contractor.
- Service providers are entities that process personal information for the business. Making use of, manipulating, and handling personal information is somehow central to the service they provide. An agency that reviews personal information to craft a marketing persona might be considered a service provider in this regard.
- A third party is any other entity that isn’t a contractor, isn’t a service provider, and doesn’t interact with the consumer.
For marketers, the important thing to know is that anytime you share or sell data to one of these three entities, you need to add specific contractual provisions to your agreement with them.
The good news, however, is that if you have these contracts in place, then the personal information you sell or share to these individuals isn’t subject to the consumer’s consent. So, if a consumer requests that you don’t sell or share their personal information, you can still provide that information to a contractor, third party, or service provider who has a contract with these provisions in place.
Maintain compliance without worry or hassleMarketers who practice privacy-first marketing can find a balance between actionable data and privacy compliance. Understanding how data privacy works allows marketers to collect data ethically — and prevent compliance penalties, ruffling consumer feathers, or damaging their organization’s reputation.
To help you find this balance, you need a structured, organized way of collecting and keeping track of data; one that makes sense across your organization’s internal systems. Keeping information streamlined and tidy improves your ability to market your brand well (and alleviates risk).
Osano’s Data Discovery tool helps you find, classify, and evaluate your data across your organization’s data stores. Schedule a demo with us today so your team has peace of mind when the CPRA comes into play.