The CPRA, which will soon replace the CCPA, imposes expanded and more stringent requirements around how user data is gathered, shared, and stored. And it’s the first U.S. regulation to directly address dark patterns — some of which are so commonly used that people assume they’re standard operating procedure. Now is the time to create a strategy to help your business thrive as consumer data rights become a growing priority.     


The California Privacy Rights Act (CPRA), which becomes effective on January 23, 2023, amends and expands on the 2018 California Consumer Privacy Act (CCPA). Some organizations might be apprehensive about its impacts, such as added IT complexity, the loss of revenue-generating user data, or further loss of trust in analytics and behavior telemetry.


Others may not be giving the legislation a second thought because they’ve done their homework and confirmed that it won’t apply to them. And some companies may not have it on their radar because they haven’t yet realized how it will affect how they gather and leverage consumer data.


The CPRA gives California consumers substantially more control over their privacy and personal information in several ways, and in terms of regulations, it takes specific aim at the use of dark patterns. Some dark patterns ship as the default behavior in various MarTech or AdTech tools, so it’s easy to see them as standard “business-as-usual” practices.


But this perspective will leave many organizations with no idea they may run afoul of CPRA’s regulations, particularly since this is the first time in U.S. law that dark patterns have been referenced.


A Common Dark Pattern Your Organization May Be Using

Dark patterns can come in many forms. The law defines a dark pattern as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.”


An example is using a cookie consent pop-up that gives consumers two options: “Accept all cookies” or “Manage cookie preferences.” Since the latter choice requires an extra step for consumers, they’re likely to dismiss the pop-up, which is taken as constituting acceptance of the cookies. And while there are still unknowns about how CPRA laws will be applied, it states that “agreement obtained through use of dark patterns does not constitute consent.” So, at the very least, organizations that continue this practice risk violating the CPRA.


The Regulatory — and Technology Environments — Continue to Shift in Consumers’ Favor

The CPRA’s legislation goes far beyond addressing dark patterns. It sets a much higher bar for protecting consumer information and privacy in several ways.


Here’s a basic summary of some key features:

●       A new category, “sensitive personal information,” includes government, financial, geolocation, genetics, health, and biometrics information, to name a few.  

●       An altered scope of covered businesses: Organizations that were exempt from the CCPA may be subject to the CPRA.

●       Broader rights empower consumers to opt-out of the sale and sharing of personal information, request the deletion of personal data, and correct inaccurate personal information.  

●       Stronger security requirements: Covered businesses must implement “reasonable security procedures and practices” to safeguard users’ personal information.


There’s more legislation coming on the heels of the CPRA. For example, state senators in Washington recently introduced a state privacy bill that copies the CPRA’s language regarding the use of dark patterns to gain consumers’ consent.


If there was any doubt that the wind has already shifted in favor of consumer rights, technology is also driving more changes in how AdTech and MarTech operate. Consider these recent developments:

●       On the regulatory side, the Federal Trade Commission (FTC) just opened the door for a rule-making phase around commercial surveillance and data privacy. They plan to create new rules that govern those things within the next one to three years.

●       On the tech side, Apple has ratcheted down on device fingerprinting, which knocked USD 10 billion from Facebook’s valuation because their customers (advertisers) could no longer effectively target Facebook users with iPhones — a very high-value consumer segment — leading to a sharp drop in revenue.


Google is also taking action to guard personal data. The company is planning to take third-party cookie support out of Google Chrome, which, along with browsers built on its engine, is behind approximately 80% of web browsers — and this removal will disrupt many organizations’ marketing efforts. Though the timing has been pushed back while Google develops a replacement that will keep its own ad business functional, they’re committed to taking this step because the way things work now leaves consumer information too vulnerable.


Things have changed since cookies were implemented in the early days of the web. It’s become too easy to exploit consumer consent and allow different websites to access browser cookies, which is akin to having one super cookie that tracks people across the web. And that’s not so great for users, who become subject to unauthorized sharing of their data and vulnerable to data security leaks.


How Can Organizations Thrive as Data Privacy Regulations Continue to Evolve?

In the current environment, organizations drop cookies for users visiting their websites because it allows them to place more relevant ads and charge higher revenues. Or, if a company is trying to drive consumers through a sales and marketing process, it has a whole stack of marketing technology that helps it identify, segment, respond to, and otherwise analyze behavior to optimize the experience. Most of these capabilities depend on cookies to keep track of user data — but this method is about to become much more difficult, if not technically impossible, even if it remains legal from a regulatory standpoint (with users’ consent). 


While no one knows exactly how the growing focus on safeguarding users’ personal information will play out, the era of using dark patterns to influence their choices is ending. Think back to when the General Data Protection Regulation (GDPR) first hit, and many companies had to scramble to comply. And then, the CCPA came along, and there might have been another compliance scramble.


The CPRA is just the beginning of similar legislation — and with more on the way, now is the time for organizations to take a proactive approach. The alternative is ongoing disruption — from either the tech or legislative side — and the risk of losing what could be an enormous competitive advantage.   


Study after study shows that users crave individually tailored experiences. What they don’t want is to be subject to information-gathering tactics that feel specious or invasive — or to have their personal information leaked to third parties.


Companies that continue to rely on sketchy advertising technology and marketing schemes because they think doing so gives them an advantage will flounder. As some technology companies are already learning, if they don’t build trust with users, someone else (such as Apple) will — and then they will be the company consumers trust. 


Organizations that are proactive rather than reactive — that put time and care into being transparent and authentically presenting themselves as providing real value in exchange for user data — will be the ones that succeed. These organizations stand to reap enormous rewards by embracing the opportunity to build trust and loyalty with increasingly savvy consumers and architect experiences that leverage lawfully obtained first-party data.  


Three Steps to Take to Prepare for Compliance with CPRA and Related Future Legislation

Even if your business is compliant with the CCPA — and the GDPR — it likely won’t be enough to ensure that it will meet the new, expanded CPRA requirements. For forward-thinking organizations that embrace users’ data privacy rights, the CPRA is an opportunity to win consumers’ hearts and minds — and make it easier to stay ahead of a quickly evolving landscape.


Here are three things to consider as your organization prepares to comply with CPRA legislation.


Think Holistically

Ensure your data collection systems have a way for consumers to access the data you’ve collected, change their data, or request that it be deleted. The more transparency you build into your messaging now, the easier it will be to comply with stricter regulations.


Companies that put time, thought, and care into how they go about presenting consumers with choices about how their information is handled will position themselves to comply with the CPRA and gain user trust. While it might be correct to use third-party tools, doing so without carefully considering the implementation risks confronting users with a frustrating consent form that covers half the screen, leaving them unable even to see the content they’re trying to access.


Instead, think about creating simple presentations to consumers that provide clear opt-in and opt-out choices that are tastefully integrated into the user experience, with both options clearly and equally available.   


Develop a Long-term Strategy Around User Privacy and Customer Data Use That Includes Key Stakeholders

Organizations will need to continue to respond as consumer privacy regulations proliferate, so a one-off approach won’t position your business to achieve compliance with legislation or consumer trust. 


Think of compliance as a service your company provides to website visitors, and encourage IT and marketing departments to partner and lead compliance initiatives. Marketing organizations need to plan for a world where they move away from third-party data and toward first-party data. Staying in lockstep with IT will empower both departments to communicate, accommodate, and manage internal and external changes quickly. 


Revisit Your Technology Stack

It’s tough for IT teams to prioritize tasks that are further up the stack because there always are so many critical, immediate fixes to implement. If it’s a choice between rethinking pieces of your marketing technology stack or making sure your content management system (CMS) is patched for a security flaw, IT will naturally prioritize creating a patch to address the flaw. These daily issues can take up to 80-to-90% of IT teams’ time, making it impossible for them to consider longer-term strategies because they’re constantly in firefighting mode.


The more your IT team can stop worrying about servers and shift to more strategic activities, the better. This shift requires that organizations automate things that can be automated and provide IT teams with tools that increase their productivity and give them the bandwidth to be more proactive. 


Implementing these suggestions will require some time and effort. But these investments will yield far more value than they’ll cost when your company becomes a brand consumers trust because it delivers experiences that surprise and delight users in ways your competitors probably can’t — all while demonstrating your respect for their data and privacy rights.  


This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.