Privacy expert Sarah Bruno breaks down how the California Privacy Rights Act will affect the U.S. privacy landscape
Subscribe: Apple Podcasts • Spotify
To anyone hoping that California’s updated privacy law would help to simplify privacy compliance in the U.S., sorry. That doesn’t seem to be the case. Instead, the California Privacy Rights Act (CPRA), which takes effect on Jan. 1, seems set to muddy the privacy landscape even more.
“CPRA is this unique kind of beast that has complicated privacy significantly for organizations in the U.S.,” said Sarah Bruno, a partner at the law firm Reed Smith, on the latest Digiday Podcast.
One aspect of the CPRA needing clarification is the difference between the law’s “contractor” and “service provider” labels. “A contractor is a company that you make data available to, and a service provider’s a company that processes the data on your behalf. That’s not super clear, is it? We need more clarity on that,” Bruno said.
The CPRA does clarify some aspects of California’s existing privacy law, the California Consumer Privacy Act (CCPA), which took effect in 2020. It covers the sharing of data for cross-contextual behavioral advertising purposes, which helps to resolve the CCPA’s Rorschach-esque definition of sale that caught Sephora in the crosshairs of California’s attorney general.
The CPRA’s addition of sharing data has “eliminated the question that we had with [the CCPA’s definition of] sale,” said Bruno.
Besides, for as much as the CPRA may mix up the U.S. privacy picture for companies, the more prominent complicating factor remains the absence of a comprehensive federal privacy law. “We’re still going to have these nuances until there’s a federal law that addresses this,” Bruno said.
Here are a few highlights from the conversation, which have been edited for length and clarity.
Enforcement expectations
I do think we’re going to see a lot more enforcement. I’m certainly hoping for a softer start similar to letters being written, opportunity for companies to defend. But I do think we’re going to see a lot more enforcement and more quickly than we did under CCPA. With CCPA, there was a right to cure. There’s no longer a right to cure.
The Sephora repercussions
The Sephora decision was another one that I think allowed a lot of these internal legal departments to suddenly be like, “Look, this is important.” There’s now decisions coming out of California as a result of somebody making a quick decision under CCPA at some point. Now there’s more thoughtful analysis with respect to the data flows and how they’re being used.
A patchwork of state-level privacy laws
Each state has unique requirements. The definition of sensitive personal information is different in the states. So you’ve got to do your data inventory and check the boxes for each state and then consider what compliance measures you have to do. It’s brutal for these companies.
The potential for a U.S. federal privacy law
The political climate obviously dictates this a lot. I think what’s going on with the Dobbs decision [through which the Supreme Court overturned Roe v. Wade], things like that may trigger additional thought with respect to consumer privacy and a need for there to be a more consistent framework across all states and federally. But I have not heard anything to indicate that’s papered at this point.
More in Marketing
Key takeaways from Digiday’s 2024 Gaming Advertising Forum
Now that gaming has gone from a buzzword to a regular presence in brands’ media mix, marketers are more closely scrutinizing the value and ROI of their investments in this channel — and the platforms are rising to the challenge. Here are some of the biggest takeaways from this week’s Gaming Advertising Forum.
‘The most controversial rebrand of the year’: Understanding the tightrope that legacy brands like Jaguar walk during a rebrand
Jaguar’s attempt at a sleek, ultra-modern rebrand replete with art-house aesthetics has been the talk of the water cooler – excuse me, LinkedIn – this week.
The Trade Desk finally confirms it: Meet Ventura, the OS to cement its grip on CTV
The Trade Desk is indeed building a CTV operating system. So much for shutting down those rumors. Weeks ago, CEO Jeff Green insisted they were off-base.