What Does the CPRA Mean for Marketers’ Data?

Alanna Goodman

Alanna Goodman

Content Marketing Specialist

Imagine you’ve been running a mandatory meeting for years and everyone you needed was always there. But soon, individual participants can opt out of attending. That would be pretty scary, right? What if no one decided to show up?

The California Privacy Rights Act (CPRA) gives consumers the right to do just that — but with their personal data. Effective January 1, 2023, the CPRA will supersede the California Consumer Privacy Act (CCPA), giving California residents more control over the personal data businesses collect. 

Since marketers rely heavily on personal data to inform their campaigns, understanding how to adapt to these new privacy acts can be daunting. Don’t worry — we’ve broken down what you need to know and how you can prepare for the impending CPRA.

What You Need To Know About the CPRA 

Under this act, marketers must notify California residents when they collect their data and allow them to opt-out of both the “sale” and “sharing” of their personal information. This includes the protection of sensitive data such as:

  • Government ID (social security number, driver’s license number, etc.) 
  • Finances
  • Geolocation
  • Race, religion, and union membership
  • Communications
  • Genetics
  • Biometrics
  • Health
  • Sexual orientation 

Marketers will also need to provide an opt-out for “cross-context behavioral advertising,” defined in the CPRA as targeted advertising based on users’ personal information that was collected across a variety of digital touchpoints, such as websites and apps.

Imagine you go to run a campaign on January 1, 2023 and find that an entire county decided to opt out of cross-context behavioral advertising. As a marketer, you wouldn’t be able to deliver any conversions.

Right now, you have the opportunity to prepare for the CPRA and keep much of your audience accessible by making individuals aware in real time when you have their data. From the consumer’s perspective, this creates a better experience. 

“If you’re willing to tell somebody immediately, ‘Hey, we’ve got your data,’ they appreciate the notice and are not as inclined to negatively react,” says Jim Donovan, vice president of emerging markets at ZoomInfo. “That’s what gets people more emotionally uncomfortable.”

The CPRA also:

  • Limits data retention. It requires companies to disclose, “the length of time the business intends to retain each category of personal information,” and not retain it “for longer than is reasonably necessary.”
  • Introduces a new right for data subjects to correct inaccurate personal data held by a business.
  • Requires companies to conduct regular privacy risk assessments and cybersecurity audits.
  • Penalizes those who violate the act with up to $2,500 per violation or $7,500 per intentional violation of data collected for those under 16. 

“The idea that people want to obfuscate their information is not new,” Donovan says. “The interesting thing is the existence of this law is not necessarily changing people’s perception around their privacy. It’s merely giving them access to a new mechanism to ensure it.”

Who does the CPRA apply to?

As with most new laws and regulations, there are limitations. California’s previously enacted privacy law applied to companies that do business in California, collect personal information, and determine the purposes or means of processing of that data. 

In addition, the CPRA will apply to companies that meet any of the following criteria: 

  • Made $25 million gross revenue the year before 
  • Buys, sells, or shares data on at least 100,000 consumers or households
  • Derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information

This means the CPRA will not apply to most small and medium-sized businesses, as well as government and non-profit organizations.

Future-proof your marketing data strategy 

Businesses will also have to report on their data processing activities from the previous year, which covers personal data that was collected starting January 1, 2022.

News alert: That’s soon!

If you’re not already in compliance with the CPRA, you need to act fast. When evaluating data vendors, ensure that they can quickly articulate and demonstrate they are compliant with CPRA, along with all other major privacy acts (such as the GDPR).

Start operating in the future today so you won’t have to shift your entire marketing spend overnight. Partner with a data vendor that will coach and consult you on how to access clean data and take the necessary steps to ensure compliance. That way, when the changes come, you’ll be ready.