Last updated: California Privacy Rights Act: What companies need to know

California Privacy Rights Act: What companies need to know


Listen to article

Download audio as MP3

The recent passage of the California Privacy Rights Act poses a big question to global enterprises: Can you see the forest through the trees?

Yes, the individual tree that’s dominating the current data privacy landscape demands attention. The CPRA mandates tough customer data collection and processing rules businesses will need to address, or they’ll face tough consequences.

But business leaders also need a wider perspective to see the whole forest. This legislation proves just how important data privacy is to consumers. And for consumers, how well a company protects their data privacy heavily impacts their perception of a brand.

So, let’s analyze the details of the new California privacy law, but also take a step back to assess the wider impact of data privacy on customer experience.

What is the California Privacy Rights Act?

Listed on the ballot as California Proposition 24, the legislation expanded the coverage and penalties originally laid out in the California Consumer Protection Act of 2018. When all the votes came in, it passed by a wide margin – 56.2% to 43.8%. The new rules – sometimes referred to as CCPA 2.0 — take effect January 1, 2023.

One big change: The new act expands the access rights of data subjects (individuals) residing in California to more closely mirror the rights of EU residents under the General Data Protection Regulation (GDPR).

In addition to the rights granted by the CCPA, consumers will be able to:

  1. Prevent businesses from sharing their personal information
  2. Correct inaccurate personal information
  3. Restrict businesses’ use of a new category of personal data called “sensitive personal information.” which includes race, ethnicity, religion, genetic information, sexual orientation, precise geolocation, and financial information.

The data-sharing restrictions are significant. Many companies used the CCPA’s “service provider exception” to share customer data with publishers and ad tech vendors. This practice effectively sidestepped the purpose of the old legislation’s “opt out of the sale of personal data” requirement. Now, thanks to the CPRA, consumers can better protect themselves.

In addition, the CPRA expands the state’s ability to enforce its data privacy rules. It triples penalties for violating the rights of minors and establishes the California Privacy Protection Agency, which will enforce the laws and protect consumers’ privacy rights.

Data privacy today: Consumers are in the driver’s seat

In his 2019 research paper, “Data Privacy Goes Mainstream,” privacy expert Tim Walters says:

“Of course you need to comply with myriad data regulations… But as the formerly ‘nebulous concerns’ about predatory data practices become a very real consumer backlash, firms risk far greater financial damage by failing to understand these evolving demands of the experience economy.”

The California Privacy Rights Act proves Tim’s point. Beyond expanding the impact of the CCPA, it demonstrates consumer demand for data privacy protections. Regional governments continue to pick up on this consumer-driven trend, and several more are issuing their own data privacy laws in the near future.

Here’s the inescapable truth for businesses today: Consumer privacy and data protection are key to the overall customer experience. Consumers may enjoy the timesaving and convenience benefits of personalized engagements, but they’re still not willing to give brands permission to use their personal data.

In fact, the CPRA addresses the sentiments expressed in a U.S. survey that found that over 80% of the respondents wanted the right to tell an organization not to share or sell their personal information.

Give customers what they want: transparency and data control

More than ever before, a piecemeal strategy of addressing individual regulatory matters as they emerge is a recipe for disaster for bottom-line revenue and brand reputation. There are simply too many regulations to track and address. At the same time, customers are neither stationary nor static.

Some businesses are realizing their homegrown solutions are too difficult to scale, too slow to implement, and too resource intensive to sustain. Others are realizing their plan for stitching together existing identity and access management systems to address consent and preference data management is too limiting and expensive.

Here’s where enterprise consent and preference management (ECPM) solutions come into play. An ECPM solution helps provide customers with the transparency they demand by:

  • Presenting terms, data privacy policies, and requests for permission to receive marketing communications or to take part in custom marketing activities
  • Creating records of captured preferences and consent and maintaining version control of these records throughout the customer lifecycle, in order to satisfy audit requests
  • Ensuring that consumer preferences are enforced accurately across every downstream service and application involved in permission-based processing of consumer data

Along with transparency, ECPM solutions put customers in control of their personal data visa self-service preference centers. These portals provide consumers with an intuitive, always-on ability to exercise their data subject access rights, change their marketing preferences, and manage their profile data.

Advanced solutions also enable businesses to maintain all customer information in one place, while addressing data privacy requirements to keep granular records on consumers’ consent and preferences.

Bottom line: It’s all about trust

When it comes to delivering winning customer experiences, “seeing the forest through the trees” is easier said than done. In today’s digital-first environment, success requires a shift from a reactive, compliance-centric posture to a proactive approach that acknowledges consumer concerns and responds with genuinely privacy-centric relationships.

The question is not if you must comply with the regulatory requirements, but how doing so can earn the long-term trust and loyalty of your customers while setting you apart in a crowded market.

Win trust + loyalty
with a data great strategy

Share this article


Search by Topic beginning with