Christopher Penn is co-founder and chief data scientist of TrustInsights.ai, a marketing analytics consulting firm.
We asked him to explain what marketers need to know about the California privacy laws CCPA and CPRA.
There are two major privacy laws that govern what businesses are permitted to do with consumer data:
- CCPA, the California Consumer Privacy Act, which took effect January 1, 2020;
- CPRA, the California Privacy Rights Act, which takes effect January 1, 2023.
CPRA in particular is reminiscent of the regulations around the EU’s GDPR, the General Data Protection Regulation.
CCPA essentially said that companies cannot sell consumer data without consent; CPRA expands that to say you cannot share consumer data without consent.
When gathering any personally identifying piece of information, marketers must obtain specific consent from the users for whatever they’re going to use that information for.
For example: if my company, Trust Insights, did a partnership with Agorapulse, and a consumer said, “I consent to Trust Insights sharing my data with Agorapulse,” then it would be be okay to share that data. But if I just said, “Trust Insights collects your data,” under both CPRA and GDPR, I cannot legally share that with a partner without the explicit consent of the consumer.
One of the other things that’s interesting about California’s law, which is a scope change from GDPR, is that it applies at the household level. So it is not just enough to obtain consent from the person whose personal information you’re gathering—for tracking purposes, you need to gain consent by household in California, because you’re targeting the entire household.
Be sure that your legal department is well-read on these laws—and be sure that you are well read on these laws—to avoid the extremely high fines that come with violating them.