The Passing of the California Privacy Rights Act (CPRA)
Background
In May of 2018, the General Data Protection Regulation (GDPR) went into effect in the European Union, setting the standard for privacy as a human right and sound privacy governance as a legal obligation for companies. Californians followed suit with the California Consumer Privacy Act (CCPA), which went into effect on July 1, 2020. Although CCPA was formulated with GDPR in mind, it left many loopholes open. As a result, Californians for Consumer Privacy formulated a 52-page Proposition 24 to buttress protections for consumers by closing these loopholes, which some companies have been exploiting.
What is the California Privacy Rights Act (CPRA)?
Proposition 24, or the California Privacy Rights Act (CPRA), appeared on the ballot in the November election. With around 56% of the vote, Californians passed the CPRA, which strengthens the existing CCPA. CPRA is not a different law, but rather an expansion of the current CCPA. By closing many of the loopholes left open by the CCPA, CPRA more closely resembles GDPR, representing a growing international movement to extend GDPR principles.
The main differences between the two California regulations lie not only in stricter protections, but also stricter enforcement. Californians can tell businesses not to use, sell, or share “sensitive personal information,” defined as anything from race, religion, or sexual orientation, to more timely information like health, location, or private conversations. Minors will also experience more protection with an opt-in requirement to sell or share their data.
The extra enforcements will compensate for CCPA’s lower penalties, loopholes, and open-ended definitions, already discovered by many businesses (source: Adweek). For one, fines are tripled when violating protections of minors. And not only does CRPA limit itself from lobbyist amendments, it’s heavily funded its own California Privacy Protection Agency, the sole purpose of which is to enforce the law (compared to CCPA’s only enforcement being the office of California’s Attorney General).
What does CPRA mean for big tech?
The passing of CPRA means countless third parties in the digital ad ecosystem will be required to give consumers explicit notice of selling or sharing personal data. Not only this, but they also will be required to let consumers opt out. Do these changes help or hinder ad tech giants like Google and Facebook? Well, it’s up for debate. Some suggest the law will help these companies because they own their user data through direct relationships, and are less concerned with data exchange between third parties like publishers or ad tech (either selling data to them or acquiring more data from them). However, many believe the newly formed California Privacy Protection Agency will be most likely to go after the big tech platforms. But, it’s worth noting that unlike smaller media sellers and firms, companies like Google and Facebook have large legal and compliance teams to help them tango with the California Privacy Protection Agency.
The bottom line is we won’t know for sure until the law goes into effect in 2023. But one thing is clear: CPRA will close many loopholes, making it difficult for big tech companies to track consumers outside of their own user-facing services. (Source: The Drum, Fast Company, Vox)
What does CPRA mean for marketers?
While CPRA is exclusive to California, you can expect it to have a national, and even global, impact. There will be fewer loopholes and greater enforcement – even for the big ad tech firms that marketers leverage for the majority of their media (about 40% of advertising spend this year). Marketers and platforms will need to adjust their approach to finding and reaching audiences with their message, and think about new unique ways to acquire customer information.
The last two years have already delivered a blow to advertisers in terms of third-party data, with Facebook tightening targeting restrictions, and both Google and Apple working toward cookie-less environments altogether. But CPRA makes third-party data usage even more difficult with users’ ability to opt out. It also means advertisers will soon need to scrutinize their own first-party and zero-party (truly opt-in) data as well — how they acquire it, how they share it, how they use it.
Although larger ad tech companies may be held more liable than marketers, accountability will eventually reach all parties, even small advertisers and publishers. The current restrictions on special categories like housing, recruitment, and credit will broaden to all categories, making targeting by ethnicity, health conditions, or income level very difficult. Even mobile location data and zip code targeting could go away. Targeting by age? This could also be heavily restricted in the long term. In other words, we’re reverting back to days with more waste, where advertising dollars will ultimately need to be spent toward broader, less precise audiences. Come 2023, marketers will need to focus on brand positioning in relevant content, premium partnerships, and 1:1 efforts like email and direct mail, to ensure they still reach their most relevant audiences.
Are we moving backwards? In some ways, yes. But in other ways, no. We are working with major tech advances that are still viable, in terms of attribution, predictive algorithms, and content ranking in search engines. And this means we know a lot more about our audiences than ever before, allowing us to understand their key questions and tailor content accordingly.
What can marketers do to prepare for CPRA?
While two years is a long time in the ad tech world, increased protections around consumer privacy is clear the direction the industry is heading. The sooner you’re prepared, the more you’ll stand out among competition. Here are a few things you can do now to begin preparing for CPRA:
Five key takeaways
- Depending on company size, it’s probably time for some new hires. Stack your legal team with tech expertise, and form diversity and inclusion teams that focus on ethical targeting and messaging.
- Apply as many new principles across your site and marketing efforts, rather than trying to identify and isolate minors or California residents to provide them a unique user experience. Age and political boundaries aren’t always visible digitally, so it’s a safe bet to apply these restrictions to any audience, especially since they will become more regulated down the road.
- Keep testing to form new benchmarks, and to learn about your audiences and how they respond to your offering to supplement the loss of user data.
- Tighten your content and user experience. Precise data targeting isn’t the only way to increase brand visibility to the right audiences. Implement SEO best practices to outrank competitors, ensure your site offers visitors with a good mix of informational and transactional content, and maintain a solid social presence to drive engagement across your content ecosystem.
- Be transparent, clear, and concise in your privacy policy to create positive user experiences. Not only will this be legally enforced, it will be fully expected by your customers, especially in younger age brackets, and a deal-breaker if you don’t comply.
Photo Source: Unsplash