5 Essential Things Every Marketing Leader Must Know Before July 2023 to Navigate the New Privacy Frontier
As we draw closer to July 2023, we’re standing at the precipice of a new era in data privacy. Stringent regulations redefine how we gather, handle, and leverage consumer data.
To help marketing leaders grasp the nuances of these new privacy laws, stay compliant, and bolster the trust your consumers place in you, here are the top 5 things you must be cognizant of ahead of July 1, 2023
1. The Enforcement of the California Consumer Privacy Rights Act (CPRA)
The CPRA, which became effective January 2023, will now be enforced starting July 1, 2023.
CPRA builds upon the foundations of the CCPA, introducing an entirely new category of data—“sensitive personal information” (SPI). This is data that is subject to strict protection guidelines and includes very intimate details about your users.
What exactly is SPI?
- Social security, driver’s license, state ID card, or passport numbers.
- Account log-in credentials, financial account numbers, debit or credit card numbers, along with any related security codes, passwords, or credentials permitting access to an account.
- Precise geolocation data.
- Racial or ethnic origin, religious or philosophical beliefs, or union membership.
- Contents of a consumer’s physical mail, email, and text messages, unless the business is the intended recipient.
- Genetic and biometric information processed to uniquely identify a consumer.
- Personal information collected and analyzed regarding a consumer’s health, sex life, or sexual orientation.
As you see SPI can be used to determine things like a person’s opinions, personal preferences, or additional susceptible details that could lead to fraud, identity theft, or other harm if the data is leaked, breached, or compromised. Regulations under the CPRA can further update or add categories of sensitive personal information to adapt to changing technology, data collection practices, implementation obstacles, and privacy concerns.
It’s crucial to note that consumers now have the right to limit the use and disclosure of their sensitive personal information, and businesses are required to provide explicit disclosures on their data handling practices.
The CPRA also mandates businesses to provide an opt-out option for consumers from “sharing” data, expanding beyond the “selling” data principle.
2. The Broadening Scope of Privacy Laws: Virginia, Colorado, and Connecticut
The Virginia Consumer Data Protection Act (VCDPA) extends to brick-and-mortar businesses. The Colorado Privacy Act (CPA), effective from July 1, 2023, encompasses non-profit entities, while the Connecticut Data Privacy Act (CDPA), also effective from July 1, 2023, does not apply to non-profits. These laws demonstrate a trend towards wider application of data privacy regulations, indicating the need to revisit and adapt data handling practices across all marketing avenues.
3. Advanced Consent for Sensitive Data
The VCDPA, CPA, and CDPA arguably have stricter requirements than the CPRA. These states prohibit the processing of sensitive data without first securing consumers’ Opt-In consent. As a marketing leader, you must ensure that you have explicit consent before collecting or processing data that reveals racial or ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship status, genetic or biometric data, personal data from a known child, or precise geolocation data.
California does not have an explicit opt-in requirement for the processing of sensitive personal information, but practically speaking, they appear to be treating this as an opt-in requirement.
4. Opt-Out and Disclosure Obligations for Targeted Advertising
Consumers in California, Virginia, Colorado, Utah, and Connecticut have the right to opt-out of the processing of personal data for targeted advertising, and businesses are obligated to disclose these practices. The CPRA has a similar stipulation related to “cross-context behavioral advertising” and equates sharing of personal information for such advertising to a “sale”. It’s vital to ensure your marketing strategies and technologies enable these consumer rights and transparency.
5. The Rise of ‘Touchless’ Opt-Out Signals
California, Colorado, and Connecticut require the acceptance of “touchless” opt-out choices, like the Global Privacy Control (GPC). California now requires this, and Colorado and Connecticut will soon require it.
Connecticut laws require businesses to honor ‘touchless’ opt-out signals, such as the GPC. These signals present an unobtrusive way for consumers to express their privacy preferences, and your marketing technologies need to be adept at recognizing and respecting them. Starting January 2025, Connecticut will mandate businesses to provide an “opt-out preference signal” option. Meanwhile, starting July 2024, Colorado will require recognition of a “universal opt-out” mechanism
As we journey through this evolving privacy landscape, these new privacy laws are more than just compliance checkboxes. Not only are they a testament to your commitment to consumer privacy, but are mandatory to avoid fines and bad press. Embrace them to refine your marketing practices, fortify consumer relationships, and lay the foundations of a brand that prizes privacy. It can all feel overwhelming, but we are here to help! Read our ultimate guide – Top 5 Reasons Marketers Need to Implement Consent Management to learn more about how your organization can start to develop deeper customer relationships and build personalized experiences.