CPRA likely to result in huge privacy compliance costs

US – The Insights Association has told the California Privacy Protection Agency (CPPA) that insights companies preparing to comply with the California Privacy  Rights Act (CPRA) will face “tremendous costs”.

Lock representing data privacy

This will be especially true for small and medium-sized firms that are “updating and expanding on their already extensive compliance efforts” in connection with the CPRA, cautions the non-profit trade association.

In light of this, the Insights Association has set out a number of recommendations for new regulator the CPPA, including urging it to limit processing that presents a “significant risk” to consumers’ privacy or security to highly sensitive personal information, such as financial account information, as well as limiting it to processing that occurs on a regular basis or a minimum number of times per year.

In addition, such processing should involve at least 100,000 records, given that the statue “contemplates ‘significant risk to consumers’ privacy or security’, language which connotes larger concerns of aggregate risk, not every isolated presentation of risk to any individual consumer or small group of consumers”, said the trade body. Alternatively, the association suggests that the CPPA could “incorporate some numerical trigger into what constitutes ‘significant risk’ processing”.

The CPPA should also consider limiting audit and risk assessment requirement to businesses who meet one of the first two prongs of the CPRA’s business definition. This is because the third prong is not tied in any way to business size or processing volume, according to the Insights Association, which added that “it includes a substantial number of small and medium-sized firms in the market research and data analytics industry.”

Moreover, the CPPA must clarify that the use in research results and reports of “sensitive personal information” is a “reasonably expected” use of information provided in connection with corresponding surveys and research studies. The Insights Association also called on the agency to define “disproportionate effort” as those efforts which “do not, in the reasonable discretion of the business, meaningfully add to the consumer’s understanding of the business’s historical practices”.

The association believes that market research should be exempt from notices of financial incentives. “For our members’ research to be effective, they must ensure robust participation, often through the offering of incentives. For example, a doctor may be offered an honorarium to answer a survey about various pharmaceuticals, or an individual may be offered a gift card to participate in a half-day focus group about the latest television shows.”

Lastly, the CPPA should limit the “authorised agent” concept to minors and elderly or incapacitated individuals. Under CPRA, a consumer can designate an “authorised agent” to submit opt-out requests, and requests to know and delete, without limitation.

Increasingly, association members are “receiving requests from purported authorised agents and are caught between, on one hand, wanting to honour legitimate requests and, on the other, the pervasive concern that the authorised agent mechanism invites fraud”, noted the trade body.

We hope you enjoyed this article.
Research Live is published by MRS.

The Market Research Society (MRS) exists to promote and protect the research sector, showcasing how research delivers impact for businesses and government.

Members of MRS enjoy many benefits including tailoured policy guidance, discounts on training and conferences, and access to member-only content.

For example, there's an archive of winning case studies from over a decade of MRS Awards.

Find out more about the benefits of joining MRS here.

0 Comments


Display name

Email

Join the discussion

Newsletter
Stay connected with the latest insights and trends...
Sign Up
Latest From MRS

Our latest training courses

Our new 2025 training programme is now launched as part of the development offered within the MRS Global Insight Academy

See all training

Specialist conferences

Our one-day conferences cover topics including CX and UX, Semiotics, B2B, Finance, AI and Leaders' Forums.

See all conferences

MRS reports on AI

MRS has published a three-part series on how generative AI is impacting the research sector, including synthetic respondents and challenges to adoption.

See the reports

Progress faster...
with MRS 
membership

Mentoring

CPD/recognition

Webinars

Codeline

Discounts