Blog Technology

The CPRA Is Here: Impacts on U.S. Businesses and What’s to Come

4 min read
Share In a Post:
Alyssa ThompsonSenior Account Executive

Data privacy has emerged as an issue of critical importance over the last few years. As consumers adopted new digital technologies, companies adjusted their business models to adapt to the new market reality. Online entities began offering consumers access to digital services at no cost. In the digital world, however, free is never really free — consumers are the product, and businesses are reaping the benefits of monetizing personal data.  

For as long as there’s been user data, companies have been entrusted with the responsibility to safeguard it. Still, some have seemingly leveraged it for profitable gain. For decades, companies have failed in their pledge to protect information, and with proliferating cyber breaches sweeping the globe, users’ privacy concerns have amplified, spurring their demands for greater control over their data — how its collected, used and sold.    

Governments around the world have introduced new regulations to safeguard users’ personal information. In the U.S., we’ve seen the enactment of the groundbreaking California Consumer Privacy Act (CCPA), and more recently, a more stringent iteration, the California Privacy Rights Act (CPRA), which enters into force on January 1, 2023. 

Just as companies started to get their ducks in a row with the CCPA, California voters resolved via ballot initiative to enact the CPRA, a significant expansion of the state’s existing privacy laws.

The privacy landscape is changing, and in turn, effective data governance is rapidly becoming an area of strategic importance for businesses that collect, use, share and sell customer data. The stakes are high, and consumer awareness of data privacy issues is growing. The way businesses handle consumer information is now a point of differentiation, and if done right, a source of competitive advantage. 

To better understand what’s to come, PAN connected with Ted Karch, principal attorney at Karch Legal, to help outline key changes to the existing regulation and their implications for the global business landscape.  

Farewell CCPA, Hello CPRA  

When the CCPA went into effect on January 1, 2020, businesses worldwide that operate in California had to make considerable adjustments to their methods for collecting, storing and sharing the personal information of California residents – including amending privacy policies, updating service provider contracts, and introducing methods for consumers to access, delete, or opt out of sale of their information. However, just as companies started to get their ducks in a row with the CCPA, California voters resolved via ballot initiative to enact the CPRA, a significant expansion of the state’s existing privacy laws.  

The CPRA maintains the core framework of its predecessor but changes some provisions and adds new obligations. Centered around further bolstering the privacy rights of California consumers, the law introduces more stringent rules for companies that do business in the state, whether based in California or not, and satisfy at least one of the following criteria:  

  • Grosses more than $25 million in annual revenue  
  • Derives 50% or more of its annual revenue from the sharing or selling of personal information  
  • Annually buys, sells or shares personal information of 100,000 or more California residents or households  

Set to take full effect in 2023, the CPRA has several new and notable provisions, including but not limited to:   

  • The creation of the California Consumer Protection Agency (CPPA) to issue regulations and enforce the law  
  • Data retention, data minimization, and purpose limitation requirements   
  • Expanded consumer privacy rights , including to correct inaccurate information, limit the use and disclosure of “sensitive personal information” and request to opt out from information sharing for certain advertising purposes 
  • Adding new requirements for contracts with third parties, service providers, or contractors where personal information is disclosed 
  • On July 8, 2022, the CPPA officially commenced its formal rulemaking process to adopt regulations further delineating what businesses must do under the CPRA. The agency is accepting comments until August 23, 2022. Once enforcement begins, the CPPA will be empowered to issue administrative fines or cease and desist orders for violations.  

So, What Does This Mean for PAN & Clients?

At PAN, transparency is one of our core values. Beyond our personal commitment to safeguarding personal data, as PR professionals, we have a responsibility to help our customers deliver their messaging commitment to uphold the CPRA in a clear, understandable and accurate manner. The importance of presenting a business and its stance on the CPRA — and more importantly, how those words are put into action — is of critical importance over the next few years.  

The way businesses handle consumer information is now a point of differentiation, and if done right, a source of competitive advantage. 

For many businesses, the burden of legal compliance can feel unconquerable. Many are ill-prepared to fulfill the requirements of CCPA and now the CPRA. In fact, according to a Cytrio study, by the end of Q1 2022, almost 90% of companies were non-compliant or only partially compliant with the CCPA. In the months and years ahead, businesses can expect increasingly hefty penalties for non-compliance or even legal orders to cease certain offending activities. Beyond finances, they also will feel the effects of a tarnished reputation and damaged customer loyalty. To thrive in this new era, businesses must ensure they are prepared to meet the legal obligations that come with these new, more restrictive protections.  

A Look at What’s Ahead

California has set a precedent for privacy regulations in the U.S. and worldwide. Some experts predict that where California goes, the rest of the country may soon follow. In fact, since the CCPA went into effect, several other states including Colorado, Connecticut, Utah, and Virginia have followed suit and signed similar protection acts into law.  

The pace of new privacy regulations is rapidly accelerating worldwide, and it’s important that businesses enhance their practices to go beyond the bare minimum to protect their customers. By ensuring data protection is a foundational element of an organization, leaders can not only avoid the financial penalties tied to non-compliance but build and sustain trusted relationships with their customers.

Learn more about PAN Security.
An image of PAN's Brand Experience Report on the Potentials and pitfalls of AI for marketers

In our annual Brand Experience Report, we asked marketers and customers how they are using and experiencing AI to better understand how the technology is changing that relationship.