The General Data Protection Regulation wasn't the only sweeping privacy regime signed into law in 2018. That same year, the California Consumer Privacy Act (CCPA) was set in motion, which went live in 2020 and will soon be replaced by the California Privacy Rights Act (CPRA).
The CPRA (aka, CCPA 2.0) expands red tape directives and gives enforcement watchdogs more teeth to protect information privacy rights worldwide.
If you’re unable to maintain CPRA compliance by 2022 and your organization falls victim to a data breach, you’ll suffer devastating blows financially, and your reputation as a trusted collective-action organization come 2023. Bypassing the scourge of CPRA violations requires a transparent privacy culture with robust information security programs.
Here, we’ll run through a point-by-point checklist to get your association website fully compliant with the new California privacy law as well as the GDPR and other regulatory developments. We’ll also walk through how you can roll out a solid digital governance plan to remove barriers, improve trust, and achieve sustainable membership growth.
Let's get started!
The CPRA expands and overhauls the preexisting California privacy act under CCPA. The new CPRA empowers individuals around the world with groundbreaking autonomy over personal information, such as the right to prohibit public disclosure of private facts and the right to correct and fully control individual data.
CPRA goes into effect on January 1, 2023. Enforcement will start on July 1, 2023 and apply to all personal information collected on or after January 1, 2022.
In other words, CPRA encompasses data that isn’t specific to an individual but could be indirectly tied back. Such “extra-personal” information is categorized as “household data.”
It’s far-reaching, extraterritorial legal power extends to a panoply of data processing and management applications that transcends boundaries.
Under the new California privacy law, your web users and CPRA consumers have additional rights not included under the CCPA. New CPRA provisions include the right to:
If you gather information or use tracking cookies in any way on your website, it’s time to become compliant with, and an advocate of, information privacy rights. Here’s how:
Map out the types of personal information and sensitive personal information (if any) your organization and any third-party vendors are processing or holding on your behalf. During this data-mapping exercise, consider:
Analyze the different visitor profiling or tracking activities conducted on your sites.
Create a comprehensive disclosure notice and commit to updating it annually. Include the following in your notice:
Revisit and implement all privacy rights processes and mechanisms on your site, mobile apps, and privacy policy.
Establish a channel and online platform for users to submit personal information requests, as well as a process to fulfill them.
Whether you’re selling personal information or not, the consensus is that all websites that collect data or use cookie tracking should adhere to the stricter GDPR standards.
General Data Protection Regulation (GDPR) requires your website to inform web users right away if you’re using cookies or trackers in any way (e.g. Google Analytics). You must also obtain prior consent and have a legal basis for all data processing activities. Under the CCPA/CPRA, web users need to be able to opt out of data disclosure, not tracking overall.
So what happens if you’re collecting data of members or web visitors in California or the EU?
Cybersecurity attorneys, data innovation groups, and digital think tanks agree that complying with GDPR ASAP and maintaining these stringent standards is the solution – practically, economically, and ethically. Policy institutes and digital transformation masterminds across the web support this integrated compliance solution as well.
There are also software services with (consent-approved) geo-targeting and automation tools to enable multiple, up-to-date website experiences in compliance with the appropriate rule-making authority/authorities.
If granted consent, you can also use automated geo tracking to show visitors in the EU a GDPR-compliant cookie banner and Californians a CPRA/CCPA-compliant declaration to further tailor their experience.
Given the cost and insensibility of maintaining multiple policies, you should also develop a transparent IT and digital governance plan to establish your organization’s privacy culture.
Regardless of exact procedures you choose, you should establish a robust digital governance framework. Then add it publicly on your website so it’s easily accessible and visible.
Your digital/IT governance plan should:
You may even incorporate your digital/IT governance processes and practices within your privacy policy page, unless it creates an overwhelming user experience.
If the amount of personal data you collect reaches a certain threshold, you may also want to appoint a dedicated point person to oversee your compliance practices and the integrity and continuous improvement of your digital governance processes and procedures.
The landmark California Privacy Rights Act closes potential loopholes in the California Consumer Privacy Act, and in many ways, brings the multidimensional California privacy law closer to the stricter GDPR standard.
The CCPA was signed into law in 2018 and became effective on January 1, 2020. Enforcement began shortly after on July 1, 2020, and further CCPA regulations and modifications were issued that same year.
The CPRA is a ballot proposition approved on November 3, 2020. The CPRA will replace the CCPA in 2023, but when the clocks strike twelve in 2022, personal information practices will fold under the expanded CPRA standards.
The CPRA adds new protections and stricter obligations than CCPA. For example, the CCPA established the right to know and delete personal information. CPRA provides the right to correct this information, as well. There’s also new policies related to data minimization as well as streamlined data portability privileges for information transfers.
The CPRA expands breach liability and private right of action, as well. For instance, it covers breaches that provide unauthorized access to an email address and password or security question. There are also triple fines for violations of minor’s data, as well as increased penalties for intentional non-compliance, whether or not a data breach occurs.
CPRA extends and clarifies the use cases for which consent is required. Consent is newly defined as "freely given, specific, informed and unambiguous indication.”
Given the new affirmative consent standard, you may need to implement consent mechanisms on your website, mobile apps, and privacy policy for the following use cases:
Due to its low triggering mechanism, the CPRA applies to for-profit businesses, regardless of physical location, doing business in the US. There are three ways an organization could be defined as a “business” under CPRA:
Nonprofits are currently exempt from the CCPA and CPRA as of now, however, there is growing expectation that nonprofits must respect user data when requested, especially with evolving regulations around the world and data privacy concerns gaining steam.
Whether “exempt” or not, your organization should also be aware of the policies and practices of all vendors, providers, and agencies.
When CCPA 2.0 becomes operative, we can expect greater clarity on the party directly or indirectly responsible for managing user requests, which should be detailed in vendor contracts and service agreements.
Essentially, if and you have more than $25M in annual revenue, and your professional association collects information on behaviors, engagements, and preferences of your members, constituents, partners, donors, patrons, event attendees, exhibitors, sponsors, newsletter subscribers, customers, or web visitors, then you must become and maintain CCPA/CPRA compliance.
Beyond your website or digital experience platform (CMS vs. DXP), any software system, application, or tool that collects information on members, nonmembers, and any user of that system, then that system must also become compliant and maintain that standing.
This may include your AMS/CRM, LMS, community site, trade show site, scholarly publishing site, and beyond.
Failure to maintain compliance can result in fines up to $2,500 for each unintentional violation. There is up to a $7,500 fine per intentional violation and each violation of minors’ data (children under the age of 16).
Enforcement begins on July 1, 2023. Violations are publicly visible and searchable on California’s data breach search database. You can search by the violating organization and/or data of breach.
CPRA established a new regulatory muscle, the California Privacy Protection Agency, with judicious amounts of discretionary power over the CCPA and CPRA.
The five-member regulatory authority promises more oversight and costly fines for invasions of privacy and other compliance violations. The Agency will take over administrative enforcement responsibilities from the current regulator, the California Attorney General, on July 1, 2023 (six months after the CPRA effective date).
CPRA introduces a specific set of ‘special categories’ that must be treated with extra security. This so-called “sensitive personal information” helps to prioritize enforcement resources and penalties and prevent high-risk violations and high-impact scenarios.
This data category is similar to the European Union’s GDPR definition of personal data and stricter than the former CCPA definition of personal information.
Under the CPRA, sensitive personal information includes traditionally confidential identifying information, like social security number, driver’s license, and banking/financial account information. It also includes exact geolocation, race/ethnicity, religion and more.
Sensitive personal information under new CPRA protections is subject to restricted use and disclosure and purpose use.
Under CCPA/CPRA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The multidimensional ecosystem of privacy laws have sweeping consequences for your association website, and new rule-making shows no sign of a slowdown.
To date, more than two dozen states have proposed or passed comprehensive data protection laws or amendments to existing laws. Beyond California, New York, Virginia, Colorado, Maine, and Nevada are among those driving U.S. information privacy frameworks.
Not to mention the international layer of overlapping regulations, including evolving GDPR requirements and the new Personal Information Protection Law (PIPL), which is China’s first omnibus directive on individual privacy rights.
The PIPL not only has a broad jurisdictional scope and catch-all provisions to further expand cross-border applicability, but it also includes new “separate consent” requirements and other systematic obligations.
This so-called Era of Privacy has dramatically shifted perceptions and behaviors in recent years. Heightened awareness and public pressure has placed a high premium on digital governance and planning and information transparency.
Today, you need a thoughtful, end-to-end framework that integrates all of your IT activities, not just data security, protection, and risk management practices. Your organization’s entire internal structures need to be reoriented to usher in secure IT environments and transparent processing practices.
The best way to prepare your website for CPRA compliance – while getting up to snuff with the PIPL and the layered, burgeoning privacy landscape – is to comply with GDPR standards. For the most part, the GDPR is still the go-to multi-standard compliance strategy.
Alternatively, consider investing in a compliance software for your website. It’ll help you manage the nuances and discrepancies of an evolving rule-making environment, all-in-one place. However, becoming cyber smart in today’s data economy and the era of privacy requires a long-term approach.
Forward-looking organizations are realizing the need to adopt a strong, scalable privacy culture focused on digital/IT governance and transparency. Need help getting up to speed? Start the conversation here.