What Prop 24 Means for Your Data Privacy Strategy
California recently passed Proposition 24, a landmark data privacy referendum that expands privacy protections in the world’s fifth-largest economy. Starting in 2023, the nation’s most comprehensive privacy regulations will protect nearly 40 million people and govern $3.2 trillion in economic output.
Prop 24 will ripple across America, which still lacks a national privacy law. Most companies will choose to extend these privacy protections to all users — rather than address the privacy patchwork with state-specific solutions. That solution is easier and more economical.
So what does this mean for those of us working in technology and connected devices? We have a whole new set of rules to learn. Prop 24 replaces the CCPA with the CPRA, which stands for the California Privacy Rights Act. Here are a few action items to guide you as you reorient around the latest data privacy regulations.
#1: Prepare for data privacy enforcement
The passage of Prop 24 creates the Privacy Protection Agency, America’s first government watchdog for privacy and data protection. The statewide agency will have a budget of at least $10 million annually, finally putting enforcement muscle behind privacy protections, something that the previous privacy law (the CCPA) lacked.
Businesses that leak data (either knowingly, by sharing without permission, or unknowingly via a data breach) will pay $2,500 per violation. The per-violation fine triples fines for violating the privacy of minors, which means that each violation can cost your business $7,500! You’ll want to be very careful if any of your connected devices capture or otherwise interact with data from those under 15.
Also, know this: the threat of fines is blood in the water for hackers. In Europe, bad actors are forcing businesses to pay up using ransomware and the threat of GDPR fines. These attacks will likely shift to the US now that there’s a privacy enforcer. Now is the time to shore up your cybersecurity defenses and prepare staff!
TL; DR: Voluntary compliance is over. Get ready for America’s first privacy enforcer. Make a plan to verify your data tracking, collection and storage methods so that you have clear documentation and strong internal controls.
#2: Evolve for the end of cookies
Cookies — the small files used to track users across the internet — are on their way out. Good riddance! Cookies were intended to improve the user experience by remembering details about users between sessions. Instead, they became invasive trackers that enabled a massive industry to invade privacy, often without permission.
It’s long past time to rebalance the dynamic. Consumers have a right to privacy and the industry must catch up. We need to prepare for our cookieless future and create solutions that offer insights and anonymity simultaneously. We can no longer expect to know everything about consumers in a permissionless environment; rather, the marketing industry must evolve with innovations that aggregate data in useful ways while preserving privacy.
Most people are ok with this type of anonymized aggregation, also called “differential privacy.” It’s a data collection framework that collects data in aggregate without ever revealing the identity of individuals. It can even be used to automatically ensure that data sharing across borders conforms to local privacy laws.
TL; DR: Future-proof your data discipline. Preserve anonymity, avoid collecting unnecessary personal information and use pattern matching to build segments that give aggregated, actionable insights without compromising individual identity.
#3: Put AI to work for data privacy management
Artificial intelligence is at work in other areas of your business — why not put it to work for privacy too?
AI can detangle the complexities of privacy management by rapidly sorting and segmenting user data to conform to privacy regulations while still offering the benefits of personalization to both consumers and companies. AI can also make sure that you are only storing necessary information and thus minimize your data collection footprint — and privacy compliance exposure.
By using its capabilities to process massive data sets, you can both increase precision and reduce human intervention when it comes to privacy compliance. These two factors — precision and human intervention — are going to be key when the sheer volume of data that will soon be governed by Proposition 24 will accelerate investment and innovation. Companies will need to maintain data privacy while still preserving the reach, quality and precision that their advertising-based business models depend on.
TL; DR: When implemented strategically, AI can help you sort, segment and store data in ways that both preserve privacy and comply with CPRA. Use it!
#4: Monitor your thresholds
The CPRA changes the compliance thresholds in two key ways. First, sharing is now the same as selling. If your business shares data with third parties for commercial purposes (without necessarily selling that data), you’ll be on the hook for compliance.
Second, the CPRA doesn’t apply to businesses that bought, sold or shared data from fewer than 100,000 customers/households annually. That’s up from 50,000 customers/households, which is a good thing for startups seeking traction. But, in the trenches of startup life, it can be easy to cross this threshold and not even realize it.
However, you’re still on the hook if your company made more than $25 million in gross revenue in the previous calendar year. And, if you use sister brands, these thresholds still apply if it’s clear to consumers that your sister brands share common ownership. So don’t think about circumventing these rules by making subsidiaries — unless they truly are standalone brands.
TL; DR: If you buy, sell or share data from more than 100,000 customers or households, you must comply with CPRA. Monitor this threshold closely.
#5: Innovate now to leap ahead later
In a nod to increased control, Prop 24 adds a new right to limit data sharing, which isn’t covered by California’s prior law, the CCPA. This is a step in the right direction. However, consumers want more than just the right to limit how companies collect, use and share their data. The onus shouldn’t be on the consumer to navigate these complexities; brands should implement user-centric privacy tools that empower consumers, not companies.
First and foremost, they want more transparency. In one survey, four out of five consumers will share more data if brands are transparent about how it’s used. They also want more control. In the National Privacy Survey, which my company did in anticipation of Prop 24’s passage, we found that not only did the majority of Americans want a national privacy law, but they also want new tools: 83% of Americans want the right to set an expiration date for their personal data.
These types of privacy innovations may be complex to deliver at scale, but it is the true benchmark for control. Data expiration controls empower consumers to determine the ideal privacy parameters for their unique needs, all on a case-by-case basis. That’s true transparency and control — and a way to earn customer loyalty.
TL; DR: Now’s the time to consider privacy innovations that help you not just comply but also leap ahead. Data portability, transparency and control, can earn you the trust (and loyalty) of your customers.
Future proof your business against a national privacy law
Absent a national law, California’s robust privacy regulations will likely shape the conversation around federal privacy regulations. It remains to be seen whether politicians will react by prioritizing a national law or if California will set the pace for everyone else.
One thing’s for certain: It’s a new dawn for data privacy in America. And it’s about time! Everyone deserves privacy — and our digitally-connected ecosystem must evolve to accommodate both privacy and profit. This isn’t an idealistic pipe dream; rather, it’s the most exciting business challenge of the coming decade.
I see the new privacy framework as an accelerant to a more responsible and user-centric approach across the digital ecosystem. Ultimately, our business models will strengthen, as will our bonds with customers. It’s a win-win; we just have to put in the work now to be ready for our inevitable privacy-first future.