5 Steps to a CPRA-Ready Tag Management Strategy
With 56.1% of the vote, the California Privacy Rights Act (CPRA) was approved by California residents on November 3, 2020. The CPRA makes significant amendments to the California Consumer Privacy Act (CCPA), which came into effect earlier this year, and will have a massive impact on the entire online advertising ecosystem. Like its predecessor, the CPRA is complex and ambiguous. While it seeks to clarify certain aspects of CCPA, in many ways CPRA will cause increased uncertainty as additional obligations are placed on companies.
Although the new law is not scheduled to become operative until January 1, 2023, as many learned with the enactment of Europe’s General Data Protection Regulation (GDPR), two years goes by quickly. For companies seeking to corral the mass of cookies, trackers, beacons, pixels, and other undisclosed third parties on their websites, it is best to act now to ensure not only that your website is compliant, but that it provides a privacy experience that strengthens rather than detracts from your marketing initiatives.
Below are 5 key steps enterprises need to take now, to futureproof their privacy programs in light of the key changes brought about by CPRA and the domestic and international variations that are certain to follow.
1. Get visibility and control over “cross-contextual behavioral advertising” information sharing
The most significant change brought by CPRA is the expansion of the “Do Not Sell” requirement under CCPA. Now, in addition to covering the “sale” of personal information, the concept of “sharing” any personal information for the purposes of “cross-context behavioral advertising” is specifically included. While the “sale” requirement under CCPA arguably applied to online ad networks, this amendment firmly closes a legal loophole by confirming that opt out rights are mandatory for all targeted advertising.
This functional change means that any business that has remained on the sidelines during the initial months of CCPA enforcement and declined to call this type of ad tech sharing a “sale” should start now to treat it this way. As such, the “Do Not Sell My Personal Information” link will be required to read “Do Not Sell or Share My Personal Information.”
Moving forward, businesses that fall within the scope of CPRA will need to be aware of all trackers on their site and able to provide a mechanism for consumers to opt out of sharing their personal information. This means that the application of CPRA is not limited solely to cookies – the new regulation will apply to each and every vendor, service provider, contractor and third party on your website that may be involved in advertising. This means that you will need tools to discover the breadth of trackers on your site.
As the below image taken from Crownpeak’s Trackermap indicates, identifying these vendors is no simple task:
And your responsibility does not stop here. Once you have audited and identified each of the vendors, not only will you need to provide opt-out signals to each advertising vendor, and most analytics vendors, as a best practice you will also need tools to help manage and control the vendors.
Further, CPRA has expanded the consumer right to request the deletion of personal information by eliminating some of the exceptions under CCPA. Under the CPRA any company receiving a deletion request must notify the relevant service providers or contractors to delete the user’s data and these vendors must in turn notify any of their partner organizations with whom the data was shared. The only way to fully comply with this provision is to be aware of every vendor and tracker on your site.
This is where having a comprehensive tag management solution provides enterprises with a strategic advantage: Enabling them to move beyond a simple, reactive compliance posture to deliver dynamic, real-time privacy experiences that fulfill your legal obligations and provide both you and your customers with visibility and control over the tags on your site.
2. Empower your customers with mandated consent controls and disclosures
Unlike GDPR, CPRA (as in the case of its predecessor), remains an opt-out consent experience. With the broadened requirements now covering data sharing with behavioral advertising platforms, it is imperative to provide consumers with the ability to fully exercise their consent choices. To operate this effectively, you need to know exactly what data your company is collecting and where it resides.
Below are three important new requirements introduced by the CPRA that enterprises should be aware of:
Right to limit uses of sensitive personal Information
The CPRA adds a new consumer right to limit the use of “sensitive personal information,” which includes government IDs, health, race, ethnicity, religion, biometric information, and more. Consumers will have the right to opt out of having this information sold or shared. As a website publisher, if you collect sensitive personal information, it will be a requirement to provide a “Limit the Use of My Sensitive Personal Information” link on your homepage. This will be in addition to the “Do Not Sell or Share My Personal Information” link. While CPRA does not have a banner requirement, the proliferation of links mandated by the law makes it incumbent upon the compliance team to work with Marketing and IT to ensure the user experience is not negatively impacted.
“Consent” means freely given; No “dark patterns”
The updated legislation includes a definition of “consent” which will be required any time opt-in is mandated, such as sharing or selling the personal information of consumers under 16 years old. Along with this new definition is the prohibition on obtaining consent through manipulation via the use of “dark patterns,” or user interfaces designed to subvert or impair user autonomy, decision-making, or choice.
Loyalty and rewards programs: Exception to right of non-discrimination
The CPRA introduced a new exception to a customer’s right to not be subject to different pricing schemes for exercising their opt-out rights. This right of non-discrimination does not apply to loyalty or rewards programs. If such a program depends upon retaining or sharing personal information with partners, a consumer who opts-out may be denied its benefits. This new clause has been the subject of controversy as opponents insist that this will be used as a “pay-for-privacy” scheme where discounts will be withheld unless the consumer allows the business to harvest granular data about their shopping habits, and then profit on disclosure of that data.
In architecting your company’s consent management solution, it is crucial to ensure that proper disclosures are made, and customers fully understand to what they are consenting and under what circumstances. This is especially true considering this clause will be subject to much scrutiny and, likely litigation.
3. Leverage tag management tools for privacy risk assessments
For processing personal information which presents a “significant risk” to a consumer’s privacy or security, companies will be required to conduct annual cybersecurity audits and privacy risk assessments. These audits and assessments will need to be submitted to the newly established California Privacy Protection Agency (CPPA) – an independent watchdog whose mission is to “vigorously enforce” the CPRA. The new requirement means that businesses will need to conduct internal risk assessments, followed by formal submission of a professional document to the government.
This means it will become imperative to have visibility of all the piggyback tags, undisclosed tags, and data leakages on your site that may raise compliance and security issues. Merely providing legal arguments to justify the reasons you are processing personal information that potentially carries a significant risk is not sufficient.
Along with hard data supporting your risk assessments, you will need a means of rectifying any issues identified and pledging that your company will continue to monitor and optimize the way it handles data.
Having tools at your disposal that can maintain a comprehensive and accurate historical audit of all trackers, whether disclosed or not, that may be causing compliance issues will enable you to work with regulators effectively.
4. Avoid the pitfalls that might lead to future enforcement action or litigation
With enforcement for the CPRA moving from the Attorney General’s office to the independent CPPA, an increase in legal actions is expected. Separately, CPRA allows for private rights of action for security breaches that impact personal information. This expansion combined with the little-discussed provision included in the CCPA that enables Authorized Agents to act on behalf of aggrieved consumers will likely lead to a flurry of litigation in the coming months and years.
With the establishment of the CPPA and the formation of a privacy litigation industry, it is imperative that you are aware of all the unknown leaks and piggyback tags on your website and in your privacy program. The damage that a rogue tag could cause to your business and reputation is immeasurable.
5. Embrace data minimization and security
In a nod to GDPR, CPRA added new requirements around data collection, retention, and protection. In particular, all measures regarding the use of data must be reasonably necessary, not inconsistent with disclosed purposes, and transparent. The CPRA also added a definition of “profiling” as relates to automated processing of personal information to analyze or predict aspects concerning a person’s actions or preferences. Like the inclusion of sensitive personal information, these measures further conform California privacy law to the protections offered by GDPR. Further regulations regarding these provisions are forthcoming, so it is in your best interest to ensure your company acts now to limit the collection of data in general, and for only the purposes required to provide a beneficial customer experience.
CPRA and beyond: Future-proofing your approach to privacy
With increased enforcement and litigation looming on the horizon, passage of the CPRA makes it incumbent upon your company to act now to build a privacy program that is premised upon a strategic, holistic approach. Simple consent management platforms do not provide the depth required to disclose or reveal all the unknown contractors, vendors, and trackers on your website.
Beyond CPRA, the proliferation of worldwide regulations means that any solution you implement now must be engineered to evolve: There is no stopping the ongoing “splinternet” of data privacy regulations. As a practical matter, whether the U.S. remains an amalgamation of regulations for the foreseeable future, or the European Union passes the ePrivacy Regulation, is irrelevant. You will be doomed to playing “whack-a-mole” if you attempt to predict the future. Privacy is now a geopolitical issue and the best approach is to understand all the vendors that may be present on your site and to act to future-proof your program. Beyond checking compliance boxes, without the tools to build customer trust, your company will not get very far in the new world of privacy. The time to start is now, before it is too late.
To learn more about Crownpeak’s Tag Management Solution, and how we can help you gain visibility and control over your digital supply chain, speak to an expert today.