CPRA takes effect in January: experts warn that ad ecosystem is about to change

Though the law won’t become fully enforceable until July 1, 2023 (and violations that happened prior to that date won’t be penalized) businesses are already prioritizing compliance. Marketers are especially wary considering that the recent $1.2m fine issued to beauty retailer Sephora for CCPA violations set a stringent precedent for future enforcement actions.

The Drum surveyed data privacy and security professionals on how the changes that CPRA introduces – and how the ad industry can prepare for impending enforcement. Here’s what they said.

1. New opt-out rights close loopholes for targeted advertising

The CPRA expanded consumers’ opt-out rights. While the CCPA enabled California residents to opt-out of sales of their personal information, the CPRA seeks to close a minor loophole by introducing new, more explicit language that allows residents to opt-out of having their data “shared” with advertisers. This means Californians will be able to further protect their information from being used in a targeted advertising system.

For all businesses – but especially advertisers and publishers – this is a crucial change.

“While many marketers have taken a position to date of working exclusively with service providers, the expansion of the opt-out right to include the right to opt-out of personal information shared for cross-context behavioral advertising substantially diminishes the viability and utility of this approach,” says Arielle Garcia, chief privacy officer at ad agency UM Worldwide. In essence, the right to opt-out of sharing personal data for behavioral advertising purposes could throw a wrench in brands’ abilities to engage in targeted advertising activities at large – and could ultimately hurt their bottom lines.

“With CPRA, marketers need to contemplate processes for honoring rights requests for a broader set of use cases – including their sharing of customer relationship management system data for targeted advertising,” says Garcia. “To that end, marketers should engage in discussions with their agency partners and their media partners to establish these workflows.”

Other privacy pros echo this sentiment. Jessica Simpson, senior vice-president of global solutions consulting and verified technology at Publicis Media, believes that consent management should be businesses’ primary consideration in CPRA preparation. “The best course of action to prepare is to implement a next gen consent management platform,” she says.

This is, at its core, a marketing responsibility, she explains. “The marketing teams own trust – it should be deeply woven in the ethos of your brand, and at the center of every value exchange, creative and offer you put in front of your customers and consumers. Consumers don’t just make decisions based on the product or the price. They make it based on trust in the brand and the technology that brings it their way. We need to move away from privacy program management, and ticketing systems that rely on human intervention and modular, mistake-driven implementation, to a programmatic approach to privacy.”

2. Expanded applicability cracks down on businesses’ internal operations

The CCPA included exceptions for certain uses of personal data, such as in a business’s human resources department or for B2B marketing and sales purposes. However, the CPRA strips away these exemptions.

Unless another rule creates specific exemptions for a business – which might be the case with a law like the federal Health Insurance Portability and Accountability Act – organizations will need to meet CPRA’s privacy requirements as they relate to a wider swath of people, including employees, job applicants, contractors and freelancers, suppliers, B2B prospects and customers and more. To put it simply, CPRA puts new data privacy restrictions on a business’s operations and supply chain.

3. Restrictions on uses of sensitive data will become the norm

CPRA expands consumer protections for specific types of personal data. In particular, it offers an explicit definition of “sensitive personal information” – which includes categories like social security and driver’s license numbers, geolocation data, browsing and search history, biometric data and more. CPRA gives California residents the right to limit the sharing and use of such information.

Now, it’s vital that marketers evaluate and map out their data inventories to assess what types of sensitive personal information they currently collect, use, share and sell. In particular, Garcia says, this process should entail “evaluating the site and mobile app event data shared via pixel, API and SDK to understand whether any sensitive personal information is being captured or shared.”

Beyond evaluating their own processes, Garcia suggests that marketers should learn more about how their technology and media partners collect, store and use sensitive consumer data – and the potential impacts. She says that changes happening within the publisher ecosystem already indicate that platforms are becoming more conscious of their responsibility when it comes to sensitive data. “For example, Snap’s ‘Limit the Use of My Sensitive Personal Information’ toggle and Meta’s removal of certain fields from profiles foreshadows the types of changes that we may see from social partners,” she says.

4. A crackdown on secondary uses of data sends strong warnings to marketers

In a similar vein, CPRA aims to disincentivize businesses from using consumer data in ways that haven’t been explicitly specified to them.

“As we look ahead towards July 1, businesses should be mindful that the CPRA imposes additional restrictions not just on the disclosure of data, but also on secondary data use more generally,” says Marci Rozen, data security attorney and legal director at DC-based firm ZwillGen. In particular, she points out, businesses cannot process personal data in ways that are “incompatible” with the purpose for which it was originally collected.

But CPRA goes even further, demanding that organizations only process consumer data for purposes that are consistent with consumers’ “reasonable expectations,” per the law. It’s an addition that may create problems for businesses.

“This language is vague, and many businesses process information in ways that might be surprising to a consumer,” says Rozen. “It’s not yet clear how far the CPPA and attorney generals will push this language, so businesses should start thinking now about how they can enhance their disclosures or even cut back on secondary data uses – including advertising and profiling uses – to minimize their risk.”

5. Data minimization rules draw new boundaries

Generally speaking, the CPRA intends to make California law more like the EU’s sweeping General Data Protection Regulation. One such way is by adding data minimization requirements and storage limitations that ensure businesses cut down on data collection and storage at large.

Data minimization is becoming a key trend in new data privacy legislation more broadly. Five new state-level US data privacy laws slated to go into effect in 2023 all include data minimization clauses.

The CPRA requires that businesses only collect personal information that is necessary for legitimate business functions. The language of the law, however, is somewhat opaque. Companies will have to wait and see how the California attorney general plans on enforcing this requirement.

For marketers, however, it will mean exercising more scrutiny over the kinds of data being collected and tightening up the ship if necessary.

6. An expanded private right of action presents new legal risks

The CCPA included a private right of action, which enables individuals to bring a civil suit against a specific business and seek actual damages or statutory damages for failing to appropriately secure their unencrypted or unredacted personal information in the case of a breach.

CPRA expands this right by adding new categories of personal information for which consumers can sue, including email addresses in combination with a password or security question-and-answer that would allow login. Considering that many corporate data breaches expose such data, this addition represents a major new consideration for businesses, as it may increase liabilities.

Marketers need to work closely with other departments across the business to ensure information security is up-to-snuff so as to prevent network vulnerabilities that could lead to a breach.

An evolving state of affairs

The CPRA includes a number of additional changes when compared to its predecessor. It expands consumers’ right to access and delete their personal information and creates new rules that require businesses to notify consumers at the point of data collection. The law establishes new protections for minors, introduces new required updates for organizations’ privacy notices and more.

Broadly speaking, privacy professionals believe that the new CPRA will set the tone for the entire world of digital advertising and publishing. And it’s likely to prove challenging for the entire ecosystem.

“The CPRA is ushering in a ‘new normal’ for digital marketing – more consumer opt-outs, increasing scrutiny from customers and vendors and onerous new contract terms – all of which creates friction across the advertising ecosystem for advertisers, publishers and adtech providers,” says Austin Mooney, a global privacy and cybersecurity associate at international law firm McDermott Will & Emery.

To mitigate potential compliance challenges, Mooney advises that businesses take a future-focused stance now. “Companies can get ahead of these changes by being proactive in developing standardized contract templates and external communications, and by reevaluating their digital strategies in light of these changes,” he says.

In particular, Mooney points to the proliferation of first-party data strategies taking hold in the advertising ecosystem as a positive trend towards more privacy-focused consumer data collection and use.

Ultimately, the paradigm is shifting. “If all you are focused on is just trying to get ahead of CPRA, you are missing the bigger picture,” says Publicis Media’s Simpson. “Privacy by default is becoming the norm.”

For more, sign up for The Drum’s daily US newsletter here.