Last week, Californian voters approved Proposition 24 (also known as the California Privacy Rights Act of 2020, or CPRA), a ballot initiative intended to build upon the state’s current privacy legislation, the California Consumer Protection ACT (CCPA) of 2018.
The CPRA moves closer to the GDPR; bringing in an independent regulator, the right to correct inaccurate information, data minimization, and purpose limitation, and more.
While the CPRA will most directly impact Californian citizens and the organizations that do business with them, people from across the United States are largely in favor of taking a similar approach to consumer privacy protection. A post-election Privitar poll of 1,000 American consumers run by market research firm Dynata found that:
For organizations wondering what the U.S. privacy landscape might look like in a few years’ time, this is instructive but by no means conclusive.
For organizations that do business in California and/or with Californian residents, there are some clear considerations that should be taken into account today to prepare for the CPRA’s eventual enforcement.
The CPRA makes a wide range of changes to the CCPA. Three significant changes in business should be aware of are:
Although the CPRA won’t come into effect for a little over two years, preparing for some of the changes may take time, and so it is worth starting thinking about what the CPRA means for your business now.
For example, limits on both data sharing and internal secondary uses of sensitive data may reduce many organizations’ ability to gain insights and extract value from the data they hold.
To understand how this may affect you, start by looking at what data you currently share, or have shared with you, and whether you hold data classified as ‘sensitive’ under the new definition. If you do, consider what the impact would be if your consumers decided to opt-out and how you might mitigate this risk. Would providing better privacy protections and greater transparency reduce the likelihood of consumers opting out? Could you use de-identified data that is out of the scope of the law?
Strategies such as these, if pursued, may take time to implement, meaning it’s worthwhile starting now.