California’s Proposition 24 garnered enough support from voters to pass. That means the Consumer Privacy Rights Act (CPRA) will take effect, and there are major ramifications for businesses and the way they conduct digital marketing.
The CPRA won’t actually begin until 2023. That sounds like it’s not for a long time. And in some ways it isn’t. Still, there are ways in which your business may need to prepare.
The CPRA builds on a similar California proposition, the CCPA, which also only recently passed and which limits the selling of consumers’ personal information. Some are calling the CPRA the CCPA 2.0. This isn’t a minor change, though. There are significant differences between the two.
Keep in mind, this legislation applies to anyone that does business in the state of California, or have a contract with a company that does. There are also a few other limitations. Unsurprisingly, it’s a bit wonky.
Here are some Key Provisions:
- Establish the California Privacy Protection Agency. This would be the first agency of its kind in the US. It will have full administrative power to enforce the CPRA, rather than the California Attorney General.
- Additional Consumer Rights. People will have the right to correct any personal information, the right to opt-out of advertisers using geolocation, and the right to restrict usage of personal information.
- New Category of “Sensitive Personal Information.” Some types of information will carry the “Sensitive” designation, including social security and driver’s license numbers, racial information, and biometric data.
- Includes both “Sharing” and “Selling.” The CCPA was focused on the selling of information. The CPRA adds sharing, which it defines as a transfer for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
For Customers, This is Opt-Out, Not Opt-In
That means people will have to specifically tell companies they don’t want their data sold or shared. Companies that currently have a “Do Not Sell My Information” box will need to update that to “Do Not Sell or Share My Information.” And other companies will have to add that option.
Here’s What You Can Do
- Be aware of what data you’re collecting from customers. Make sure you’re only collecting data that you feel is vital to your company. That’s important regardless of the CPRA, since businesses are now at an increased risk for data breaches.
- Review who you’re sharing that data with. If you’re bound by the CPRA, then so is every company you subtract with. Make sure they’re all compliant, too
- Be transparent. Tell your customers why you’re collecting their data, and how long you’re going to hold onto it. And of course, only use data in the ways you say you’re going to. The CPRA is fairly strict about transparency.
All of these suggestions will help you stay compliant with the CPRA, but they’re also good for your digital marketing strategy, regardless of if you’re bound by Prop 24 or not.
There’s Time to Prepare a New Digital Marketing Strategy, But Not as Much as You Might Think
As we mentioned, the CPRA won’t take effect until July 1, 2023, more than two years from now. However, the bill applies to any information collected after January 1, 2022. That’s just over a year away, so you’ll probably want to start thinking about how to adjust your digital marketing in order to become compliant.