Despite a few roadblocks at the end of 2022, the California Privacy Rights Act (CPRA) will go into effect early 2023. The clock for ensuring that your website is compliant has officially started.
The CPRA, an update to the California Consumer Privacy Act (CCPA), is a privacy regulation that gives consumers more control over how their data is used. The regulation applies to businesses that collect personal data from more than 100,000 California residents, whose gross annual revenue exceeds $25 million, and who earn more than half their revenue from selling California residents’ personal data.
Businesses that don’t comply with CPRA can face fines of up to $7,500 per violation. To ensure compliance, legal and marketing teams have to work together to ensure that their website effectively notifies website visitors from California how your business will use their data and provide an opportunity to opt out.
The “Do Not Sell or Share” Requirement
The CCPA required businesses to include a “Do Not Sell My Personal Information” (DNS) link on data-collecting pages that notified users of their rights and provided an opportunity to opt out.
The CPRA takes this one step further by giving consumers the power to not only opt out of businesses selling but also from sharing their personal information. This can refer to either data your business collects on its own or data collected by a third-party vendor via cookies.
Collaboration between legal and marketing is essential to ensure your website complies with CPRA. Here are some topics that legal can address with marketing to get the two teams on the same page.
Cross-Contextual Advertising
Cross-contextual advertising is the practice of tracking a consumer’s internet activities — sites they visit, apps they use, services they patronize, etc. — in order to target them with tailored ads based on their behavior.
This kind of data is the bread and butter of marketing teams and helps make their lead generation efforts more effective. Rather than advise marketing to get rid of cross-contextual advertising altogether, here are some questions legal can ask to understand it better:
- What data do we collect?
- How do we collect that data?
- How is that data transferred to that third party?
- How does that third party use it to advertise?
These questions can also inform the actions legal can take to mitigate risk. For example, collecting personal data vs. sensitive personal data may require different legal restrictions.
Alerting Website Visitors from California
Since consumer knowledge of and consent to these practices is key, marketing teams need to keep site visitors informed. Let them know what data your business collects, what you do with their data, and what remediating actions they can take to remove their data.
Legal and marketing teams need to brainstorm a strategy to be more targeted in their efforts. Together, they can determine whether it’s possible — or even preferable — to limit DNS exposure to only California web visitors.
Takeaways
With more cookie laws going into effect in 2023, the collaboration between marketing and legal is more crucial than ever before. Subscribe to our blog for more tips on how legal can work with other business units to meet goals and stay compliant.
Subscribe to the LinkSquares Blog
Stay up to date on best practices for GCs and legal teams, current events, legal tech, and more.