Understanding CPRA Compliance: Practical Insights from Akhil Anumolu
Jeffrey Edwards
|Announcements | July 12, 2023
Whether your organization launched CCPA, GDPR, or CPRA compliance programs five years or 5 months ago, now’s a good time to refresh your knowledge and ensure that your operations, teams, and tech are aligned with current conditions. To help, I had the pleasure of hosting an expert panel, including Akhil Anumolu, a Fortune 500 Digital Executive with prior experience at KFC, Delta & Symantec, and Jason Patel AVP of Engineering & Tech Innovation at CHEQ to discuss the ins and outs of the California Privacy Rights Act (CPRA). In this blog, I’ll summarize some key insights from that conversation, focusing particularly on the implications of the delayed enforcement of several CPRA regulations and the role of businesses in maintaining their compliance initiatives, regardless of regulatory shifts.
For more information and insights from our panel of experts, check out the full webinar, Navigating Privacy and Compliance Enforcement: A California Privacy Rights Act Mid-Year Check-in, now playing on-demand on our website.
Despite CPRA Enforcement Delay, Businesses Must Stay Focused on Meeting Compliance Goals
On the eve of the July 1st enforcement deadline for the CPRA, a June 30th decision from the Sacramento County Superior Court delayed the enforcement of many CPRA regulations from July 1st, 2023 to March 29th, 2024. The enforcement of rules regarding data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns, and consumer request handling have all been delayed. However, provisions that were complete at the time of the ballot initiative in 2020 are still enforceable as of July 1, 2023. Notably, that includes the loss of the cure period, which previously allowed businesses 30 days to mitigate violations before being fined.
The nine-month delay in enforcement of key CPRA rules may come as a reprieve, but it’s important not to take your foot off the gas when it comes to meeting compliance obligations.
The CPPA is likely to appeal this decision and The CPPA has scheduled a public meeting for July 14, 2023. The proposed agenda confirms that the CPPA Board will publicly discuss key updates, including enforcement.
And, even with the delayed enforcement of key provisions of the law, regulators will still be able to begin enforcement of CCPA statutes and early CPRA amendments to that law. In a public meeting this March, CPPA leadership said that enforcement is a top priority. The Agency is currently hiring additional enforcement personnel and has incorporated enforcement positions into its budget plans.
In our webinar, we examined this enforcement potential, and by looking at past enforcement actions, took an educated guess at how regulators will look to enforce the CCPA as currently amended by the CPRA.
Implementing Compliance Programs: Practical Insights from Akhil Anumolu
In the journey towards meeting CPRA compliance, the initial steps and structuring are fundamental. According to Akhil Anumolu, establishing the identity of the compliance team is the first port of call. Anumolu explains, “Who makes up the compliance team is probably the biggest question. Compliance touches many different departments, divisions, and groups.” At Anumolu’s companies, this responsibility fell on the digital product team, given its frequent interactions with various departments and its central role in overseeing the products’ development and launch.
Once the team was established, and their responsibilities were clear, Anumolu’s first priority was to meet with marketing teams and agencies. The aim was to understand what data they were tracking, why they were tracking it, and where it was going. He recalls, “We had to be very thoughtful in what’s being collected, what’s being allowed, and how to even opt out of it.”
In terms of ongoing compliance, Anumolu highlighted the importance of having a dedicated product manager. This person also had to manage other responsibilities as resources were limited. He emphasized the value of keeping a documented history of every request that came through for reference and accountability purposes.
And developing a well-defined playbook was instrumental in extending compliance to partners and third parties, said Anumolu. “We set up standards when it came to data collection.” A significant aspect of this approach was fostering trust with partners and setting clear expectations right at the onset. Partners were not only trained on compliance and tag management protocols but they were also subjected to quarterly audits and held accountable through service level agreements (SLAs).
“If you do anything that puts us at risk or takes us out of compliance, you will be financially liable for that,” said Anumolu. These stern measures successfully reduced non-compliance incidents among agency and technology partners. Creating a compliance program requires effective collaboration, a comprehensive understanding of data collection, and diligent tracking of requests and obligations. As Anumolu suggests, “We’re doing what’s best for the company at the end of the day as well as our consumers.”
Examining the Technical Nuances of CPRA Compliance with Jason Patel
We also had a stimulating discussion about the technical aspects of CPRA compliance. In particular, Jason Patel shared his expertise in managing alternate consent options and integrating consent across multiple digital properties and platforms.
The CPRA introduces several new consent management requirements for businesses, including the concept of a universal opt-out method. However, as Patel explains, “the text doesn’t necessarily define a specific universal opt-out method.” This calls for companies to have flexible compliance strategies, enabling them to adapt swiftly to any new universal standards that might emerge in the future. This flexibility, Patel argues, is crucial to avoid being blindsided by sudden shifts in regulatory expectations or technological capabilities.
The discussion also revolved around the challenges of integrating consent and compliance across multiple digital properties and platforms. Patel categorizes these challenges into two main forms: technology and people. On the technology side, he warns, “Are you sure that the technologies that you’re using on your main site are the same technologies that you’re using on your microsite?” This underlines the need to understand how data is being used and implemented across different platforms.
Meanwhile, the “people challenge” relates to ensuring that outside agencies or partners remain in compliance with the brand’s standards, especially when they are representing the brand and tracking users for its benefit. Patel says, “So, that’s the other challenge as far as oversight.”
In terms of solutions, Patel suggests two different approaches: process and policy, or controls and automation. The former mirrors cybersecurity methods, with a series of steps and checklists that all team members must follow and document. The latter leverages technology for compliance, setting up restrictions or permissions based on company policies. Patel concludes, “It’s not a one size fits all. You could do it a couple of different ways, but there are pros and cons to both.”
Making It Work with Limited Resources
Our final segment was focused on managing compliance with limited resources. Both Akhil and Jason provided practical advice and shared best practices on how to scale compliance processes without incurring excessive employee hours. From investing in automation technologies and fostering effective partnerships to comprehensive and continuous monitoring of your website for potential compliance violations, their advice was invaluable.
Anumolu proposed a three-tier approach to simplifying compliance. First, he stressed the importance of the right technology partners for automation, “having the right technology partners is key to all of this.” Automating compliance processes as much as possible, he argued, iss essential to alleviate workloads. Second, he reiterated the importance of having a streamlined playbook with identified points of contact, further aiding enforcement at scale. Finally, he underscored the necessity of ensuring technology and ad and agency partners follow the rules under contractual obligations.
Anumolu also highlighted the unique ways in which different companies may handle this task, such as appointing internal resources to oversee compliance or leveraging external partners to carry out these duties. As he put it, “Some companies may not be able to. Well, they’ll look at external partners to help them do that versus having the internal resources.”
One attendee asked about the decision-making process around the choice between automating enforcement and compliance controls versus establishing processes and workflows. Anumolu highlighted that the main considerations were the impact on revenue generation and customer experience, balanced against the risks of non-compliance and potential backlash. He emphasized the importance of putting the customer first and crafting a more personalized approach instead of opting for a “blanket experience”.
A holistic approach was adopted when deciding on the balance between automation and manual processes, with all stakeholders brought together to lay out their arguments. The choice, Anumolu revealed, was to “automate as much as we can because we are limited on personnel and resources” and to ensure continuous iterations with a regular quarterly cadence to keep personalizing the experience based on new laws being implemented in different locations.
Watch the Full Webinar On-Demand
Compliance with the California Privacy Rights Act (CPRA) is a complex journey. But with expert guidance and a proactive approach, organizations can ensure their operations are both compliant and customer-focused. Stay tuned for more insightful webinars and updates on privacy and compliance.
As always, feel free to access the on-demand version of this webinar to explore these topics more deeply and hear directly from our expert panelists.
Watch it now and get access to:
- Reviewing your CPRA readiness checklist
- Ongoing Compliance: CPRA violation response planning and the bigger picture
- Q&A: Real-world CPRA rollout experience & compliance in the current economic climate