CPRA: Everything you need to know

By Rokt

If you look through a list of the largest consumer data breaches in the last ten years, you’ll see massive names in the technology, search, and social spaces that everyone will be very familiar with. For most active internet users the chances that your data, be it name, account number, or something more sensitive, has been breached is not small. 

The breaches of these companies affected hundreds of millions and were widely publicized, leading to data privacy becoming an increasingly important issue in recent years, as technology has advanced and the amount of personal information being collected and shared online has grown exponentially. One of the most significant developments in data privacy was the implementation of the General Data Protection Regulation (GDPR) in the European Union in 2018. In the United States, California has since enacted two transformative legislative acts intended to enhance consumer data privacy rights and protections, the most recent being the California Privacy Rights Act (CPRA), which took effect on January 1, 2023.

Many US companies have been steeling themselves for US based legislation expanding data privacy since the introduction of GDPR. In a poll conducted by Cisco in 2022, 81% of respondents reported that they believe the way a company treats their personal data is indicative of the way that they view them as a customer. It is now more important than ever for businesses to make sure they are prepared for a privacy forward future. 

How has data privacy and security evolved?

Historically, consumer data privacy laws in the European Union (EU) have been much stricter and more comprehensive than those in the US. In the early 2010’s, the EU started drafting legislation that affirmed privacy as a fundamental human right. In 2018, the General Data Protection Regulation (GDPR) went into effect, asking many of the same questions posed by the Organization for Economic Cooperation and Development (OECD) guidelines written decades before. 

Around the world, there is an ever-increasing number of data privacy laws and regulations, most of which are modeled on GDPR. Global companies will need to manage their compliance with a wide variety of laws, depending on where they operate, including: the Privacy Act (Australia), Lei Geral de Proteção de Dados (Brazil), Amended Personal Data Protection Act (Singapore), Personal Information Protection and Electronic Documents Act (Canada)  and California Privacy Rights Act (US).

The introduction of CPRA

The California Consumer Privacy Act (CCPA) was the first and most extensive of its kind in the US to codify privacy protections for California residents. Before the introduction of CCPA, the US federal government passed laws aimed to protect select areas of data privacy such as children’s online protection (COPPA) and spam email (CAN-SPAM). Upon the passing of these laws, many states have begun to adopt their own version of a data breach notification law one by one. 

The CPRA is a new piece of legislation that builds on the existing protections outlined in CCPA to further strengthen the privacy rights of California residents.

The CPRA, which took effect on January 1, 2023, builds on the CCPA by providing additional rights to California residents: 

The CCPA granted the rights:

  • To be informed about when personal information is being collected
  • To request personal information that has been collected
  • To have personal information deleted upon request
  • To exercise consumer rights without fear of discrimination
  • Direct right of action in the case of a breach

And the CPRA expanded upon those by granting the rights:

  • To correct inaccurate information (new under the CPRA)
  • To limit the use of sensitive personal information (new under the CPRA)
  • To opt out of the sharing of consumer personal information, in addition to the sale of it (expanded under the CPRA)

As advertising and ecommerce technology becomes more robust and widespread across the industries, the expansions and additions in the CPRA are setting the groundwork for increased privacy rights in the future.

The changing digital landscape

The CPRA shifts the data privacy landscape and how companies advertise and do business by providing additional rights to consumers. As technology develops, standards increase. This obligates businesses to think of the customer first and create optimizations based on expected outcomes, and allow consumers to have complete control over the data they store. 

Providing control and transparency to use data is not a new concept. For years,digital marketers have relied on consumers granting access to their data, typically location data,from their personal devices despite the lack of true understanding in regards to what it is being used for. Now, with CPRA consumers have the right to know what is being collected, used, and even request to have their data deleted. This could mean losing customers for some brands. It is now more important than ever that companies create a meaningful, mutually beneficial relationship between consumers and their brand so that consumers have trust and confidence in how a business is using their data.

Rokt and data

As a trusted intermediary between customers and brands, focusing on data privacy and security is an integral part of Rokt’s ability to improve relevancy in ecommerce. Rokt, as a client-controlled platform, allows clients to use their first party data without needing to share it with anyone, and the relevancy we deliver during the transaction moment is core to the service we provide to clients. Rokt was built for a privacy-first future and maintains continuous focus and investment in its ongoing privacy and security compliance obligations. Learn more about how Rokt handles data here.

The CPRA represents a significant step forward in protecting the privacy rights of consumers in the US and will have a significant impact on how companies do business. Ecommerce businesses must address these new rights  by revising their compliance program strategies and adopting modern privacy tools. By adhering to these standards, businesses can give their consumers control and transparency over their data while gaining and maintaining trust.