With the CCPA fresh on the books just over a year ago, California voters again tightened data privacy rules with the passage of the CPRA in November 2020, leading the nation in legislation that criminalizes the breach of certain data and security rules.
Layered with Europe’s GDPR, companies who conduct business on the Internet are already seeing changes in information that comes from partner and traffic sources, like Google and Facebook. Smaller online businesses are sure to be impacted by these rules for their own customer data, as well.
Most of what constitutes personal data is pretty obvious, and businesses by-and-large know what they need to keep safe and available for review and deletion.
The CPRA has removed the 30-day timeframe for businesses to fix violations prior to being liable for administrative fines of up to $2,500 (or $7,500 for infractions involving kids 16-years or younger) for each intentional violation.
A business can also be sued for statutory damages by an individual (or class action) if a violation is not cured within 30 days of receiving notice. There’re two caveats. One, if the business has not implemented, and is not following reasonable security procedures and practices. At that point, implementing those practices after a breach is not considered a cure. You have to have a security system in place before the violation.
Two, no notice is required prior to an individual initiating pecuniary damages or in breach of a written agreement between the business and the consumer.
Those fines are to be used to bankroll a new Consumer Privacy Fund along with $10 million a year that will be pulled from the California general fund. This new agency is to be up and running no later than July 1, 2021, though the legislation becomes operative on January 1, 2023, and pertains to information collected by a business after January 1, 2022.
Businesses who are impacted
Companies who do business in the State of California and who:
- Have annual gross revenues in excess of $25,000,000
- Buys, sells or shares the personal information of 100,000 consumers
- Derives more than 50% of revenue from selling or sharing consumer information
- And newly added: Any business that volunteers to be covered by the legislation 🙂
Even if you are a small business and don’t obviously fall into any of the categories above some pundits think the new definitions of “sharing” data could make even small businesses liable for compliance.
The Elephant in the Room – Digital Ads and Tracking
Those new definitions on sharing include the use of “cross-context behavioral advertising” which are your cookies, pixels, and ad IDs. And here’s where things get really murky.
- Does even a small business engaged in minor advertising run afoul of the sharing limits if their ads use cross-context behavioral data?
- How do safe harbors – which allow a business to create contracts with their partners to provide assurance of compliance – provide protection from liability?
- And how exactly will cross-context behavioral advertising be permitted under the new laws?
There are a number of things underway. For instance, Apple is beginning to force app users to opt into tracking options by placing a prompt on log-ins. This change was followed by a very public throwdown by Facebook who responded with several major changes in its data collection and delivery for its advertisers.
You already are seeing some businesses provide an option to California consumers to “Do Not Sell/Do Not Share” my personal information, specifically for cross-context behavioral advertising and as an extension of new data privacy policies. This will become regular practice for all websites, soon.
We’re not sure we are bothered by basic and long in-practice advertising functions. Behavioral marketing has been around for a while. Even remarketing (where ads eerily follow you from website to website) doesn’t seem like crazy stalker ex-boyfriends – more like your mother constantly reminding you to brush your teeth – annoying, maybe helpful, and harmless.
But it does cross the line when so much information is available about us online that our secret fears can be exploited by nefarious individuals wishing to influence elections or worse. Add to that the anonymity in ad purchasing and you do have an opportunity for corruption. In the past, large ad buys were done person-to-person. Not the online, self-serve model that is so prevalent today.
Steps are being taken. Over the next three years, we are going to see less data available, more transparency, and more legislation/compliance. What we hope we don’t see is small businesses slapped with fines for innocuous infractions. Much like what happened with ADA when businesses were sued for $10,000 for a missing alt tag on a logo living on a three-year-old press release hidden deep on their website.
And this is where the heavy lifting is going to come into play for businesses: an already complex landscape poised to explode with legislation – added to the hoops your business partners (ie: Facebook, Google, Apple) are going to put you through – in order to ensure compliance across all.
Has your domain been verified? Has your account been verified? Are your admins using two-factor authentication? Are your ads rejected because you violated “community standards” (for instance you used age targeting on a real estate ad – that’s against Fair Housing laws). What happened to your analytics?
Data privacy and data security needs to be part of a digital landscape that is changing with light speed. Keeping up with it is going to be hard. And will sometimes seem foolish (remind us again, why we need to include targeting to an 18-year-old for a $1,000,000 commercial building?).
If you are struggling with getting your advertising live, or understanding your new analytics give us a call. We’re on the front line on these changes and can help lead you through the agility course of interface changes with a minimal <insert facepalm emoji>.