This November, the passing of the
While amendments to the act will likely alter the CPRA over the next two years, the need to allow customers to choose their data preferences when signing up for your or your clients’ services will remain a core part of compliance.
For organizations with more than 100,000 customers and/or annual revenue above $25 million, meeting the CPRA’s provisions will become a legal imperative from January 1st, 2023.
Among a host of consumer-focused provisions, the CPRA gives customers the right to opt out of the sharing or selling of their personal information while also stipulating harsh fines for businesses that breach its regulations.
The prospect of complying with the CPRA, and the potential for severe penalties for non-compliance, is likely to worry many payment processors about how their operations will need to change. The key to mitigating these concerns is being proactive and customer-led when it comes to compliance.
Payment processors can start by letting their customers know about the steps they will need to take to keep impacted consumer data compliant with the CPRA.
However, communication may also need to be accompanied by an audit of how customers store, share, and (if relevant) sell data currently. For payment processors, the next step should be integrating an opt-out mechanism into their platforms where customers will be required to receive personal information.
Under CPRA, businesses will need to get an explicit CPRA agreement from California-based customers to indicate whether they are comfortable with their data being shared or sold. It's important to note that “sharing” is defined in the act as “cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
With many impacted businesses still not ready to comply with the now enforceable CCPA, CPRA affected payment processors should start preparing for this new piece of legislation now.