One of the not-so-ballyhooed election results earlier this month is one that could affect marketers for years to come.
That decision was passage of Proposition 24, or the California Privacy Rights Act (CPRA), which will stiffen even further requirements that businesses must meet to protect citizens’ data privacy. Approved by 56% of the state’s voters, the tougher data privacy law would take effect in January 2023 to give companies and marketers time to comply.
CPRA comes on the heels of the California Consumer Privacy Act, which the state already adopted two years ago and with which businesses had to comply beginning this year.
Similar to Europe’s privacy act, California’s existing law already gives online users the right to know what information companies are collecting about them, why the companies are collecting that data and with whom the data is shared. Californians also can tell companies to delete their information or not sell or share their data.
When it takes effect in January 2023, the newer CPRA would establish a tougher set of data privacy rules for businesses, give consumers more rights on how their data can be used and create a separate oversight panel, the California Privacy Protection Agency, for rule-making and enforcement.
Specifically, the new law would, according to the experts at eMarketer:
• Create a broad category of “sensitive” personal data — including a person’s race or ethnicity, their genetic data, their sexual orientation, and data about their health, among other information — which consumers can limit to approved uses;
• Require businesses to create a link on their homepages where consumers can opt out of having their data sold, shared or used;
• Give consumers the right to correct information businesses have on them;
• Strengthen opt-in requirements for data on children, and increase penalties for the forbidden use or sharing of such data;
• Set limits on how long businesses can keep data;
• Provide an opt-out for “cross-context behavioral advertising,” defined in CPRA as targeted advertising based on users’ personal information that was collected across a variety of digital touchpoints, such as websites, apps and services.
What the California Law Means for Marketers
“For marketers already struggling to meet compliance deadlines for CCPA, CPRA represents another legal hurdle, and one that will be lot more onerous than what they currently face,” warns Yoram Wurmser, an eMarketer principal analyst.
Affected mostly by the new law would be larger marketers who have data on more than 100,000 households — as opposed to the 50,000 threshold under the current privacy law.
“If the act goes into effect in 2023, most personalized advertising will no longer be possible in California, and many parts of the data ecosystem will struggle to adapt,” Wormser says.
Will a Federal Data Privacy Law Emerge From All of This?
Wormser and others are hailing the long lead time until the newer California data privacy act takes effect, because it will give businesses and marketers more time to adapt. They say the act may put additional pressure on the federal government to come up with a national data privacy law that could supersede the California model.
“I think that CPRA’s most impactful provision is when it takes effect: January 2023,” said Caitlin Fennessy, research director at the International Association of Privacy Professionals.
“CPRA would create the impetus and provide the time frame for adoption of federal privacy legislation. And I think that was intentional on the part of the ballot initiatives’ proponents.”
Congress has debated whether there should be a federal privacy law for the past couple of years, but it didn’t make much headway this past year, thanks to the COVID-19 outbreak, as well as those 2020 elections.
As for whether there might be a federal privacy law in the not-so-distant future under a new administration and Congress, Wurmser, the eMarketer principal analyst, predicted this on election eve earlier this month:
“The odds for new regulations on tech rise with a Democrat-run Congress and a Biden presidency, particularly in the areas of consumer data privacy, antitrust enforcement, and algorithmic bias and transparency.”
However, he continued, “Although Democrats are more eager than Republicans for tougher consumer privacy laws, a variety of viewpoints hold even within the Democratic caucus. Given the scale of economic, health and racial equity issues facing the new Congress, it’s likely that it will take a while for lawmakers to reconcile these differences, even with full Democratic control.”
