CCPA to CPRA: Why You Should Start Preparing for 2023 Now

Starting on Jan. 1, 2023, the California Privacy Rights Act (CPRA) will replace the legacy California Consumer Privacy Act (CCPA) with an added layer of consumer protection regulations that will limit the processing, deletion, and access of the sensitive personal information of any California consumer, employee, job applicant, and contractor.

But the closer we get to 2023, the more questions arise from stakeholders and companies about what compliance changes await us next year, along with what will remain of the landmark CCPA regulation.

Setting the Stage: CCPA vs. CPRA

As evident in the graph below, CPRA will include limitations and regulations originally enforced by the CCPA. In addition, it will add specific types of new amendments to each category covered by the CCPA, enabling a more comprehensive overview of grey areas in data privacy.

These new amendments can mean different things for different organizations, but if you operate in the lead generation and distribution industry — as a publisher, advertiser, or as part of an affiliate network — now is the right time to start preparing for 2023.

But before we get to the “why,” let’s dive deeper into the current state of CCPA compliance across industries.

The State of CCPA Compliance: A Dire Need for a Change

A recent CYTRIO study found that of the 6,745 U.S. companies reviewed for compliance, an overwhelming 90% were unprepared to meet CCPA and CPRA requirements as of March 31 of this year.

With penalties on the horizon for non-compliance, companies should be scrambling in search of strategic and technological solutions to ensure CCPA compliance. Here’s a breakdown of how businesses can avoid penalties by preparing for these new regulations, set to take effect in just under seven months.

Issues Related to Non-compliance

The most glaring issue related to CCPA regulations is companies not complying with Data Subject Asset Requests (DSAR). A DSAR gives data subjects the right to ask companies what personal information of theirs has been collected and stored, as well as how that information will be used or is currently being used. CCPA requires that companies respond to a DSAR within 45 days from the date the request is received.

Companies that fail to respond to a DSAR request within the 45-day timeframe are subject to penalties. However, the CYTRIO research found that less than 10% of companies — some 9.76% — had deployed a CCPA DSAR management automation solution during the first quarter of 2022.

Even more concerning is that this represents a drop from the 11% of companies that automated their DSAR processes during the previous quarter.

Does this mean that companies have de-prioritized consumer compliance? Studies suggest just that.

Further compounding the issue of failing to comply with DSAR management is that many companies do not provide a system for consumers to exercise their data privacy rights, despite these same companies stating within their privacy policies that they are entirely CCPA compliant.

Considering that DSAR requests coming from data aggregators are increasing in frequency and volume — with most requests being Right to Delete (erasure of data) — challenges facing non-compliant companies are only getting worse.

The Journey Towards Compliance

Issues related to non-compliance represent only half of the uphill battle facing the above companies. The other half of the battle is for these companies to make progress toward becoming compliant.

The CYTRIO research revealed that deploying an automated solution was another obstacle facing non-compliant companies. According to a poll cited within the research, 63% of respondents said cost was the primary factor holding them back from deploying an automated privacy rights management solution; deployment complexity followed at 22%.

However, companies can become compliant with CCPA regulations by implementing white label solutions such as Phonexa’s Opt-Intel, designed to help marketers with suppression list management and email compliance.

Compliance Solutions Within Opt-Intel

So, how does Phonexa come into the big picture of compliance? Offering software solutions that provide peace of mind to those looking to strengthen their data security infrastructure conducts better data hygiene.

The following are just some of the comprehensive features within Opt-Intel that securely streamline consumer data transfers and preferences when it comes to email and SMS communication, thus ensuring CCPA compliance:

• Compliance notifications: Keeps users in the loop on all of their compliance concerns with constant notifications and other tools that identify inconsistencies while keeping users aware of any CAN-SPAM violations
• Opt-out domain white-labeling: This feature allows users to maintain email hygiene using tools and customizable options for opt-out
• Secure, automated data transfers: This functionality lets users send critical data to partners (networks, publishers, and advertisers) without compromising consumer information

The Timeline Going Forward

A considerable part of implementing new CCPA tactics comes with the need to be up-to-date with transition timelines. Here are some datelines you should know:

• July of 2022: All companies should satisfy risk assessment requirements
• January of 2023: CPRA takes effect
• January of 2023 and onwards: The CPRA will be enforced with a 12-month lookback on consumer requests back to January 1, 2022

Final Thoughts

Ultimately, the new CPRA will apply to startups and other companies making at least 50% of their annual revenue from selling or sharing California-based consumers’ PI or personal information. Companies that don’t comply with amended regulations will be fined.

Adapting digital software tools like Opt-Intel will secure consumer protection compliance for lead generators and marketers. It will do so by streamlining automated data transfers, providing error checkpoints, and communicating compliance messages and tips. With Opt-Intel by Phonexa, the days of data vulnerability and fear of non-compliance are gone.

Schedule a consultation to learn more about how Opt-Intel can be paired with your tech stack and other marketing automation tools to ensure better data compliance for your business.