Data privacy has emerged as an issue of critical importance over the last few years. As consumers adopted new digital technologies, companies adjusted their business models to adapt to the new market reality. Online entities began offering consumers access to digital services at no cost. In the digital world, however, free is never really free — consumers are the product, and businesses are reaping the benefits of monetizing personal data.
For as long as there’s been user data, companies have been entrusted with the responsibility to safeguard it. Still, some have seemingly leveraged it for profitable gain. For decades, companies have failed in their pledge to protect information, and with proliferating cyber breaches sweeping the globe, users’ privacy concerns have amplified, spurring their demands for greater control over their data — how its collected, used and sold.
Governments around the world have introduced new regulations to safeguard users’ personal information. In the U.S., we’ve seen the enactment of the groundbreaking California Consumer Privacy Act (CCPA), and more recently, a more stringent iteration, the California Privacy Rights Act (CPRA), which enters into force on January 1, 2023.
Just as companies started to get their ducks in a row with the CCPA, California voters resolved via ballot initiative to enact the CPRA, a significant expansion of the state’s existing privacy laws.
The privacy landscape is changing, and in turn, effective data governance is rapidly becoming an area of strategic importance for businesses that collect, use, share and sell customer data. The stakes are high, and consumer awareness of data privacy issues is growing. The way businesses handle consumer information is now a point of differentiation, and if done right, a source of competitive advantage.
To better understand what’s to come, PAN connected with Ted Karch, principal attorney at Karch Legal, to help outline key changes to the existing regulation and their implications for the global business landscape.
When the CCPA went into effect on January 1, 2020, businesses worldwide that operate in California had to make considerable adjustments to their methods for collecting, storing and sharing the personal information of California residents – including amending privacy policies, updating service provider contracts, and introducing methods for consumers to access, delete, or opt out of sale of their information. However, just as companies started to get their ducks in a row with the CCPA, California voters resolved via ballot initiative to enact the CPRA, a significant expansion of the state’s existing privacy laws.
The CPRA maintains the core framework of its predecessor but changes some provisions and adds new obligations. Centered around further bolstering the privacy rights of California consumers, the law introduces more stringent rules for companies that do business in the state, whether based in California or not, and satisfy at least one of the following criteria:
Set to take full effect in 2023, the CPRA has several new and notable provisions, including but not limited to:
At PAN, transparency is one of our core values. Beyond our personal commitment to safeguarding personal data, as PR professionals, we have a responsibility to help our customers deliver their messaging commitment to uphold the CPRA in a clear, understandable and accurate manner. The importance of presenting a business and its stance on the CPRA — and more importantly, how those words are put into action — is of critical importance over the next few years.
The way businesses handle consumer information is now a point of differentiation, and if done right, a source of competitive advantage.
For many businesses, the burden of legal compliance can feel unconquerable. Many are ill-prepared to fulfill the requirements of CCPA and now the CPRA. In fact, according to a Cytrio study, by the end of Q1 2022, almost 90% of companies were non-compliant or only partially compliant with the CCPA. In the months and years ahead, businesses can expect increasingly hefty penalties for non-compliance or even legal orders to cease certain offending activities. Beyond finances, they also will feel the effects of a tarnished reputation and damaged customer loyalty. To thrive in this new era, businesses must ensure they are prepared to meet the legal obligations that come with these new, more restrictive protections.
California has set a precedent for privacy regulations in the U.S. and worldwide. Some experts predict that where California goes, the rest of the country may soon follow. In fact, since the CCPA went into effect, several other states including Colorado, Connecticut, Utah, and Virginia have followed suit and signed similar protection acts into law.
The pace of new privacy regulations is rapidly accelerating worldwide, and it’s important that businesses enhance their practices to go beyond the bare minimum to protect their customers. By ensuring data protection is a foundational element of an organization, leaders can not only avoid the financial penalties tied to non-compliance but build and sustain trusted relationships with their customers.