In January 2023, California's new Privacy Rights Act (CPRA) will become effective, and we can expect many other states to follow this growing data protection movement.
Concepts such as first- and zero-party data, consent and preferences will be key for enterprises to understand as data privacy evolves in the U.S.
In order to help you navigate privacy in the U.S., the Didomi U.S. team will be covering these topics and more over a webinar series in the coming weeks and months. For our first episode which aired on July 28th, Todd Ruback, Managing Director, Privacy at FTI Consulting, joined Didomi's Chris Beirne and Jeffrey Wheeler to talk about the California Privacy Rights Act (CPRA).
Access the webinar recording below, and continue reading for a summary of the information.
What is the CPRA?
The California Privacy Rights Act (CPRA) is an amended version of the California Consumer Privacy Act (CCPA) and the most restrictive legislation so far here in the US. Aside from California, four other consumer privacy state regulations have been adopted in the United States:
(Note: learn more in our article about the consumer data privacy U.S. landscape)
All these regulations are inspired by advertising technology and the invisible data collection activity happening behind the digital curtains on websites and mobile sites. And while they're not preventing this data collection from happening, the laws are ensuring that individuals whose data is being collected are aware of it.
In essence, and even though there are nuances between each state, these laws are bringing transparency to consumers and the choice to control whether their data should be collected and shared.
Specifically, the CPRA introduces requirements closer to those of Europe's General Data Protection Regulation (GDPR).
Coming into effect on January 1st 2023, the CPRA will require organizations to implement a notice of data collection at or before collection occurs. Not only that, but it will introduce concepts and regulatory requirements around privacy, impact assessments, data subject access requests, dark patterns, mandatory opt-out, as well as signal recognitions.
This will likely be a major operational challenge for many organizations.
What are the main risks for companies that don’t comply with the CPRA?
There is a number of risks associated with non-compliance with the CPRA, including:
The primary and most obvious challenge for companies will be an audit risk, or the economic risk of noncompliance.
For brands that invest a lot of time and effort into their own branding and being good corporate citizens will be mindful of the name and shame they may face for not being upfront, transparent and trustworthy around their data collection practices.
The potential operational and systems development risk, in other words having to play catch up and become compliant within a very short timeframe when faced with an audit and/or other legal obligation.
In addition to regulatory risks, it is important to point out that fines can quickly add up. The CPRA will have the ability to impose administrative fines of $2,500 per violation or $7,500 per intentional violation, amounts that are unchanged from the CCPA. Multiplied by the ad-tech context, a dynamic data collection ecosystem driven by 3rd parties that can reach millions of transactions, sums can easily get up to the tens of millions of dollars.
To collect consent, the draft regulation calls for the adoption of a Consent Management Platform (CMP) that can offer a global solution to address any of your customers. As the law matures, as we see in Europe for instance, working with a provider that can pivot quickly and make sure the right technology is in place is key. Learn how Didomi can help:
What are dark patterns?
Dark patterns are a type of design element that deceives users by deliberately tricking, obscuring, and misleading them.
This notion is critical because regardless of regulation, organizations need to ensure that consumers are given a clear and concise choice. As a result, implementing deceiving design elements such as highlighting certain buttons, offering one button instead of multiple ones on a cookie banner, or other dark patterns practices, could render consent invalid.
According to our Head of Product North America Jeffrey Wheeler, this might be one of the biggest challenges of CPRA.
Because the notion of dark patterns will be legislated, organizations will truly need to embrace privacy by design when deploying solutions, involving privacy officers in the development lifecycle and configuration of any technologies to avoid inadvertently violating the provisions of these new laws.
What actions should you take to remain compliant?
Three actions organizations can implement today are specifically mentioned in the proposed draft of the CPRA:
- Giving a comprehensive notice to the consumer at (or before) the moment of the collection of their personal data.
- Providing the link to the notice of right to opt-out of sale/ sharing if the business sells or shares personal data on the internet webpage to which the consumer is directed after clicking on the “Do Not Sell or Share My Personal Information” link
- Accepting and processing data subject requests for exercising rights
As we don’t have a clear line of vision on the federal privacy law yet, Todd Ruback encourages people to contact their internal government relations teams for more insights.
To learn more about the California Privacy Right Act (CPRA), understand where it comes from and how you can start getting ready, watch the webinar and head to our dedicated blog post for a complete overview: