Privacy expert Sarah Bruno breaks down how the California Privacy Rights Act will affect the U.S. privacy landscape
Subscribe: Apple Podcasts • Stitcher • Spotify
To anyone hoping that California’s updated privacy law would help to simplify privacy compliance in the U.S., sorry. That doesn’t seem to be the case. Instead, the California Privacy Rights Act (CPRA), which takes effect on Jan. 1, seems set to muddy the privacy landscape even more.
“CPRA is this unique kind of beast that has complicated privacy significantly for organizations in the U.S.,” said Sarah Bruno, a partner at the law firm Reed Smith, on the latest Digiday Podcast.
One aspect of the CPRA needing clarification is the difference between the law’s “contractor” and “service provider” labels. “A contractor is a company that you make data available to, and a service provider’s a company that processes the data on your behalf. That’s not super clear, is it? We need more clarity on that,” Bruno said.
The CPRA does clarify some aspects of California’s existing privacy law, the California Consumer Privacy Act (CCPA), which took effect in 2020. It covers the sharing of data for cross-contextual behavioral advertising purposes, which helps to resolve the CCPA’s Rorschach-esque definition of sale that caught Sephora in the crosshairs of California’s attorney general.
The CPRA’s addition of sharing data has “eliminated the question that we had with [the CCPA’s definition of] sale,” said Bruno.
Besides, for as much as the CPRA may mix up the U.S. privacy picture for companies, the more prominent complicating factor remains the absence of a comprehensive federal privacy law. “We’re still going to have these nuances until there’s a federal law that addresses this,” Bruno said.
Here are a few highlights from the conversation, which have been edited for length and clarity.
Enforcement expectations
I do think we’re going to see a lot more enforcement. I’m certainly hoping for a softer start similar to letters being written, opportunity for companies to defend. But I do think we’re going to see a lot more enforcement and more quickly than we did under CCPA. With CCPA, there was a right to cure. There’s no longer a right to cure.
The Sephora repercussions
The Sephora decision was another one that I think allowed a lot of these internal legal departments to suddenly be like, “Look, this is important.” There’s now decisions coming out of California as a result of somebody making a quick decision under CCPA at some point. Now there’s more thoughtful analysis with respect to the data flows and how they’re being used.
A patchwork of state-level privacy laws
Each state has unique requirements. The definition of sensitive personal information is different in the states. So you’ve got to do your data inventory and check the boxes for each state and then consider what compliance measures you have to do. It’s brutal for these companies.
The potential for a U.S. federal privacy law
The political climate obviously dictates this a lot. I think what’s going on with the Dobbs decision [through which the Supreme Court overturned Roe v. Wade], things like that may trigger additional thought with respect to consumer privacy and a need for there to be a more consistent framework across all states and federally. But I have not heard anything to indicate that’s papered at this point.
More in Marketing
Marketing Briefing: What recent earnings for P&G, Unilever and Coke say about where the industry is headed
We read the corporate tea leaves to decipher some of the marketing trends and potential headwinds that executives at Unilever, Procter & Gamble and The Coca-Cola Company detailed during their earnings calls.
Why Roblox’s Clip It is using its billion-view moment to launch an ad product
The user experience of “Clip It” is similar to that of platforms such as TikTok and YouTube Shorts, allowing Roblox users to view, create and share short-form videos of their in-game avatars. Since launching in March 2024, it has rapidly become one of the most popular experiences on Roblox.
Inside the strategy that grew Cristiano Ronaldo’s YouTube account to 1M subscribers in 90 minutes
Ronaldo has created the largest sports-themed YouTube channel on the web in two months – but he’s not done it alone.