The new California Privacy Rights Act (CPRA) builds upon the California Consumer Privacy Act (CCPA) that went into effect in 2020. CPRA will bring a level of privacy rights similar those afforded under GDPR to the 40M residents of California. Although much of the language in the CPRA legislation targets B2C marketing programs, it applies to B2B marketing programs as well starting January 1, 2023. B2B marketing organizations should begin planning for CPRA and considering the various issues that will need to be addressed to ensure compliance.
Note: This article is not intended to provide an explanation of the regulations, but rather to discuss practical implementation matters relevant to B2B marketing leaders.
California Consumer Privacy Act
Effective January 1, 2020, the CCPA empowered consumers with a few key privacy rights such as:
- The right to opt out of selling and disclosing of their personal data by clicking on the “do not sell my information” links on corporate websites.
- The right to ask businesses to share what personal information is being collected about them, how it is processed, and with whom it is shared.
- The right to request businesses delete the personal data they have on file.
California Privacy Rights Act
Approved by voters in November 2020, the CPRA expands upon the CCPA rules with new principles such as:
- Consumers have the right to not only request to access and delete the personal data held about them, but to request corrections about the data as well.
- Consumers have the right to not only request that their information is not sold, but to opt out of data sharing as well. Specifically, consumers can opt out of automated decision-making technology used for profiling and behavioral advertising.
- CPRA requires businesses to minimize the personal data collected to only that is necessary and to not store it for an excess period of time.
- Businesses must perform an annual cybersecurity audit with an independent third party and perform a risk assessment about their use of personal data.
- A new regulatory agency called the California Privacy Protection Agency (CPPA) is being created to enforce the regulations.
Here is a link to a good comparison of CPRA and CCPA.
As with all privacy regulations, CPRA does not provide specific instructions on exactly what marketers must do to comply. Instead, much of the language in the CPRA is principle oriented, leaving businesses with some level of flexibility. However, along with the flexibility comes ambiguity. There currently are more questions than answers for CPRA, many of which will not be answered until enforcement begins. In the meantime, marketers will need to do their best to comply with CPRA even though there are still many aspects of the regulation which are unclear. In this article, we will discuss the six aspects of CPRA that are most relevant for B2B marketers in the technology sector.
1)Rights to Access, Erasure, and Correction of Personal Data
The current CCPA regulations empower consumers to formally request details about their personal data from businesses. Consumers can ask which data fields are collected, how the data is used, and who has access to it. Personal information might include fields such as name, postal address, email address, account name, IP address, and other unique personal identifiers. It also includes behavioral data such as browsing history, search history, or interaction with a website or advertisement.
Under CCPA, consumers can also request that the personal data about them be erased. The new CPRA regulations extend consumer’s rights to also include the ability to request corrections to their data.
Questions for B2B marketers to consider about CPRA:
- Do you have a process for customers to request details about the data being collected about them? Do you have a process for accepting requests for correction or erasure?
- What channels will you use to capture these requests? A web form? An email alias? A postal mail address? A toll-free phone number?
- How do you verify that the individual submitting the request is actually the person they are claiming to be? In other words, how do you perform identity verification?
- Are you able to track the data that you are sharing with external business partners should the individual later request access, erasure, or correction of the data? Do you have a process to execute these requests?
2) Do Not Sell and Do Not Share
Under the current CCPA regulations, businesses are required to offer consumers an easy way to opt-out of the sale of data collected in web forms, cookies, and other tracking technologies. Almost every website has a “do not sell my information” link in their footer specifically designed to comply with CCPA for California residents. The new CPRA rules extends consumers’ rights to not only opt-out of selling personal data, but to the sharing the information as well.
Consumer marketing has become heavily reliant heavily on both selling and sharing consumer data to enable the types of behavioral advertising that have become popular across the web. Selling of personal data is less common in B2B marketing than it is in B2C. However, “sharing” is quite common in B2B. Examples of data sharing for B2B marketing programs include:
- Prospecting Agencies – External telemarketing agencies that are performing prospecting services using data sourced from your CRM.
- Partner Co-Marketing – Joint webinars with go-to-market partners for which the registration and attendee lists are shared with both parties.
- Event Sponsorships – User conferences at which your go-to-market partners pay sponsorship fees and receive attendee personal details as part of the package.
- ABM Campaigns – Direct mail fulfillment houses that ship to prospects on your behalf based upon contact data that is sourced from your CRM.
- Data Services – List cleansing services that analyze all the email addresses in your marketing database to identify those no longer in use.
- Sales Intelligence – Data appends to the contacts in your CRM that are performed by matching personal data with external sales intelligence services.
Questions for B2B Marketers to consider about CPRA:
Data Collection Processes
- Do you have a link on your website that allows consumers to opt out of sharing or selling personal data?
- Are you able to track which contacts in your CRM have opted out of the sharing or selling of data with third parties?
Data Shared Externally
- Which external business partners do you share personal data with? Which attributes?
- Do you have a process for filtering out contacts that have elected “do not share” from joint projects with external partners?
Data Sourced Externally
- Which go-to-market partners do you source personal data from? Do you have policies and controls in place?
- Do you license personal data from sales intelligence vendors? Do they comply with CPRA?
3) Automated Decision-Making Technology
One of the most interesting parts of the new CPRA regulations is the right of consumers to request details about “automated decision-making.” As a result, businesses will be expected to supply consumers with the scenarios under which algorithms are used, the specific business logic invoked, and the potential outcomes of different decision trees. Consumers also have the right to opt-out of marketing programs that involve automated decision-making. Examples of the automation in B2B marketing programs could include:
- Behavioral Advertising – Campaigns based upon historical web browsing habits.
- Lead Scoring – Algorithms that drive the level of engagement the sales and marketing team performs.
- Content Personalization – Served in real-time on a website page.
- Lead Nurturing – Programs that activate specific campaigns based upon historical behavior.
Questions for B2B Marketers to consider about CPRA:
- Which business processes might be considered automated decision making? Behavioral advertising, lead scoring, lead nurturing, and website personalization?
- Do you capture the different decisions that have been made throughout a customer lifecycle by various marketing systems?
- Can you track which contacts have opted out of automated decision-making programs?
- How will you disable automated decision-making for those contacts who have opted out across advertising, websites, email, and other digital channels?
4) Data Minimization and Storage
Another aspect of CPRA relates to the amount of data collected and the length of time it is retained. Businesses are encouraged to minimize the amount of personal information collected and use only that which is reasonably necessary to complete the relevant business processes. CPRA also states that the data should only be stored for the length of time needed to complete the business processes. B2B marketing organizations typically collect more data than is necessary to perform sales and marketing activities. Most hold onto the data longer than necessary as well. Examples include:
- Form Data – It is common to see landing pages with forms collecting 10 fields from each lead including details such as business address that are rarely, if ever, used. The country and state fields of the address are needed for lead routing and data privacy policies, but street address and number are rarely used unless a direct mail program is executed.
- Behavioral Data – Marketing automation platforms capture lots of behavioral data about web browsing activities, email clickthroughs, and content consumption. However, only a small fraction of the data collected is actually used to score leads and perform prospecting activities.
- Retention Periods – Most marketing professionals measure the strength of their programs by the size of their database, which encourages hoarding of excess personal information. Many B2B marketing systems are littered with tens of thousands of obsolete contact records for prospects that have switched jobs but were never purged from the database.
Questions to consider regarding CPRA include:
- How would you explain the business purpose for which you are collecting, using, and retaining the personal data of prospects and customers?
- How long should personal information be retained for contacts that are not engaged in sales or marketing programs? Three months? Six months? Twelve months?
- What form fields need to be captured on landing pages to perform processes such as lead routing, scoring, nurturing, and attribution?
- What behavioral intelligence data needs to be collected before and after a contact reaches MQL, SQL, and customer status?
- How long should records be retained for users? After an SDR engages a customer is it necessary to collect details such as user IP address, date/time stamp, and visitor duration on web pages? Or is less detail about the channels used and content consumed sufficient?
5) Cybersecurity Audit and Risk Assessment
CPRA will require businesses to perform an annual cybersecurity audit with an independent firm to ensure that privacy and security controls are effective. Additionally, businesses will need to submit a risk assessment to the newly created regulatory agency, the California Privacy Protection Agency (CPPA). The assessment will identify the types of personal information being processed and discuss the benefits of collecting the data from the perspective of all stakeholders. These requirements represent a major new compliance burden for marketing organizations as few B2B teams have historically had the need for a cybersecurity audit or risk assessment. Most technology companies undergo regular audits, but the scope typically excludes the Customer Relationship Management systems and Marketing Automation Platforms. The new audit and risk assessment requirements are likely to be a boon to the consulting industry as thousands of businesses will have to scramble to complete the process for the first time in the initial year of compliance.
Questions for B2B marketers to consider with respect to CPRA include:
- Do you have an inventory of all the types of personal data collected about your customers? Can you track the lifecycle of how the data is collected, maintained, updated, and deleted?
- Do you have documented processes, policies, and controls for how personal data is managed in key sales and marketing systems?
- What types of security policies and technologies are in place within the marketing organization to limit unauthorized access to personal information?
- What training programs have been conducted with employees to educate them on the CPRA regulations and their obligations to ensure consumer privacy rights?
- What types of cybersecurity audits and risk assessments are performed on other parts of your business operations?
- Which firms are able to conduct CPRA risk assessments and cybersecurity audits?
6) Publicly Available Information
One of the most interesting dimensions of CPRA relates to publicly available information, which the regulation does not count as personal data. Specifically, CPRA states that
“Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media.”
Initial interpretations from experts suggest that the definition of publicly available data may include information that can be harvested from social media accounts such as Twitter or LinkedIn. If that proves true, publicly available information provides some interesting possibilities for B2B marketers, because some basic firmographic and contact data could be treated differently than other “personal information” whose use is limited under CPRA.
Questions for B2B marketers to consider regarding CPRA:
- Can you make the claim that a subset of the personal information in your marketing systems was lawfully made available to the general public? If so, are you able to exempt certain attributes of contact records from the CPRA restrictions such as do not share and data minimization?
- Is basic information such as first name, last name, employer name, and job title harvested from a social media profile such as LinkedIn considered public data?
- Is an email address or phone number shared at the end of a conference presentation or posted on SlideShare considered public?