“Data-driven thinking“is written by members of the media community and contains new ideas on the digital revolution in media.
Today’s column is written by Richy Glassberg, CEO and co-founder of SafeGuard Privacy.
The last few years have seen a flurry of change – and not a few upheaval. So business leaders can be forgiven for putting off things that won’t really affect them for a year or more.
But here’s a news flash: The California Privacy Rights Act of 2020 (CPRA) can’t be one of them.
Due to the period of retrospection that lawmakers have enshrined in law, compliance must begin at the start of the new year, unless companies want to reject all the data they legitimately collect on their customers and prospects for a whole period of time. the year to come.
Yeah, it’s really urgent. Your data – the things you invest so heavily in – has an expiration date.
But let’s go back. What exactly is ACPL?
The law considerably modifies and strengthens the California Consumer Privacy Act (CCPA) and adds GDPR-type consumer rights to it. Specifically, it expands the definition of sensitive data (geolocation, for example, is now considered sensitive) and offers consumers tighter controls to protect it.
Your business should comply with the CCPA whether you are digital advertising, collecting data, or deploying any type of automated decision-making technology to determine who to target for a campaign.
Since most companies are getting into digital advertising and using AI to find audiences, ACPL will require the majority of players in the digital advertising ecosystem to update their practices … or, on the contrary , are moving away from the largest consumer market in the United States.
Can you continue as usual next year? Technically, yes. But this is not a wise decision.
Here are six ways CPRA will have a significant impact on your operations and how you can prepare.
1. Data collected in 2022 must comply with CPRA by 2023
Although the ACPL comes into effect on January 1, 2023, the look-back provision of the law applies to all information collected as of January 2022. This means that all data about any customer or prospect that you collect during long 2022 must be in full compliance with the ACPL on New Years Day. Day 2023 if you intend to use it from then on.
Practical tip: Your CMO and your COO have a lot of big decisions to make. But in the meantime, work on identifying all the personal data you collect in 2022 in case you want to use it beyond December of next year.
2. New definition: share = sell
CAPL gives consumers the right to limit who you share their information with. The law defines sharing as “any disclosure” to third parties for the purposes of “cross-contextual behavioral advertising”.
Any consumer rights that apply to the sale of personal data (for example, opt-out rights) will also apply to data that you share with partners to execute a digital marketing or advertising initiative.
Practical tip: Make sure you can identify any 2022 data that you share or that has been shared with you. You will also need to have a system in place to receive and implement unsubscribe requests.
3. New data usage limitations
Under the ACPL, there is no such thing as a general or universal permission. If you request a consumer’s mobile phone number as part of a delivery address workflow, for example, you cannot use that number to send promotional SMS messages without authorization. Personal data may only be used for purposes compatible with the disclosed purpose for which they were collected.
Practical tip: Start disclosing extended use, sale and sharing practices from January 1, 2022, so that you can more widely use any data you collect in 2022 from 2023.
4. New contracts
ACPL creates contractual requirements for three categories of counterparties: service providers, contractors and third parties. These obligations will apply to 2022 data.
Practical tip: Start using new contracts in 2022 so that you can enforce 2022 data obligations in 2023.
It’s right there in black and white in the act itself:
For example, Cal. Civ. Code § 1798.100 (d) “A business that collects a consumer’s personal information and sells that personal information to, or shares it with, a third party or that discloses it to a service provider or entrepreneur for commercial purposes shall enter into an agreement with the third party, the service provider or the entrepreneur… ”
5. New counterparty obligations
The ACPL creates new obligations for those who sell or share data.
Specifically, any data you sell or disclose should be for limited and specified purposes only. In addition, the third party, service provider or entrepreneur with whom you share them must also comply with the same obligations and provide the same level of privacy protection as you for that consumer’s data. If, for any reason, a counterparty cannot meet these obligations, it must notify you.
Practical tip: place these obligations in the new contracts you conclude in 2022 so that they are ready to be applied in 2023.
6. New category of personal information
The ACPL creates a new category for “Sensitive Personal Information” and provides additional new restrictions on its use. What is considered sensitive? This is all data related to a consumer’s government identity (i.e. social security number or driver’s license), finances, geolocation, race, religion, union membership, content of private communications, genetic information, biometrics, health or sexual orientation.
If your business uses or discloses sensitive personal information, CPRA requires that you let people know. In addition, you will need to provide “a clear and visible link” on your home page titled “Limit the use of my sensitive personal information”.
Practical tip: If your business collects sensitive personal information, you should start making an inventory of the types collected now, as well as how that information is used, with whom this information is shared, and whether sharing is legally permitted under the law without it. consumer consent. Then, formulate a comprehensive strategy on how you can collect, use, share, store, and protect sensitive personal information in accordance with the CPRA.
More to do
These six items do not in any way represent the total sum of your new obligations under the CPRA.
For some businesses, other provisions of the ACPL, such as data retention and automated decision-making, will have a much greater impact on the business.
Although, like I said above, you could pushing that back for a year – but that would mean taking all the data you collect in 2022 and throwing it in the digital trash. How will this advance your company’s digital transformation efforts, I wonder, and what will it do for your market position by 2023?
If the prospect of losing your entire data investment isn’t acceptable to you or your board, I suggest now is the time to act. It is really not a good idea to wait until next year.