When it comes to consumer data, it’s no longer the wild, wild west in the U.S. The June 2018 passage of the California Consumer Protection Act (CCPA) creates new rules about how certain companies must handle California residents’ data. Those affected by the CCPA regulations include any organization that conducts business in California, markets to California residents, has customers in California, or collects any data about California residents.
With the Jan. 1, 2020 CCPA deadline looming, companies need to be prepared for this enormous shift in the data privacy landscape to ensure they are compliant − or face the financial penalties.
So how did all this come about, what should you consider, and is there a CCPA compliance checklist that outlines what steps you need to take to prepare?
Why GDPR and CCPA? A new compliance landscape
The digital world has created many new frontiers, and massive data collection is one. It started in an unregulated, anything-goes kind of way, then ramped up as companies began to digitally acquire consumer data to pursue the personalization of messaging. Much of this personal data, which has been (and is being) captured about each of us, is stored, shared, sold, and too often compromised in a preponderance of data breaches. With so many moving parts and widely publicized negative consequences to the sharing of personal data, it’s no wonder that the pendulum has swung toward privacy and regulation.
Enter the European Union’s (EU’s) General Data Protection Regulation (GDPR), which went live in May 2018 to create protections for EU citizens and businesses. GDPR enables individuals to have a say in how or if their data will be used, and they must opt in to consent to the selling of their data. Any public or private organizations that do business with European citizens, whether based in the EU or not, are regulated by GDPR. This means many American corporations that will be affected by CCPA may have already undergone a transition to adapt to meet GDPR guidelines.
This brings us to CCPA. Sometimes called America’s GDPR, CCPA was passed in June 2018, just one month after GDPR went live, and is a bit different from its European counterpart. CCPA broadens the definition of personal data and includes individuals in a household. (See Figure 1.) The law also defines data “selling” (which has a much broader meaning than you’d think) and allows consumers to opt out of the sale of their personal data though a mandatory “Do not sell my personal information” link on the homepage of the business’ website. There are other important differences, as well.
Let it be noted that nearly half the states have already proposed data privacy legislation, which would create a patchwork of compliance regulations state by state. As a result, it’s widely speculated that some sort of federal legislation will evolve in the next year or two. However, if that does not transpire, we may see a regulatory environment similar to insurance, where consumer data protection laws are regulated state by state. If that occurs, businesses would need compliance teams who understand each state’s regulations.
CCPA penalties and fines
Also important to note is that penalties imposed by both GDPR and CCPA are based on your company’s size, revenue, and such, so large firms face penalties that are orders of magnitude greater than for medium-sized firms. With GDPR, regulators can assess fines as high as 4% of a company’s annual revenue. Two notable cases of hefty fines after data breaches include one proposed in July 2019 against Marriott that is 2.5% of the company’s global revenue and another against British Airways that is 1.5% of its revenues. Both companies are contesting the fines, but it’s prudent to watch GDPR events unfold and apply those lessons to CCPA.
CCPA law at a high level
Without going into too much detail, here are some critical CCPA requirements.
At or before collection data, organizations must indicate to consumers the categories of personal information they collect, disclose, or sell.
Consumers have the right to see what personal information is being collected, disclosed, or sold and can request the company delete their data or stop selling/disclosing it within 45 days.
California residents have a right to take legal action up to certain dollar amounts when non-encrypted or non-redacted personal information is compromised.
Organizations can’t give deferential treatment, such as better pricing or services, to consumers who agree to share their personal information over consumers who don’t.
Organizations need to know where their consumer data comes from, how it is used, and where it is going, and they must track any selling of personal information.
Organizations must ensure that suppliers, vendors, and other third parties with which they share consumer data can also respond to consumer requests to delete or stop selling their data. This includes cloud providers.
Finally, the details are still being laid out, but the law sets a grace period of six months after the publication of the final regulations, or July 1, 2020, whichever comes sooner, for when the CCPA compliance demands can be enforced.
Generate business value from compliance
So how does all that apply to your specific organization? Whether or not you’re at the starting point of your data compliance journey, CCPA presents you with an opportunity. Even if your company falls under rigorous regulatory compliance requirements, meaning you have already put in place the appropriate controls, technology, and data management capabilities to demonstrate in an audit that you can effectively comply, all those measures are defensive.
CCPA gives you occasion to line up your efforts in compliance, data management, and data governance in an offensive way. At some point, every company will fall under such legislation, so now is the time to better develop your data environment and to create higher quality, well-managed data that is fit for purpose and can contribute to revenue generating efforts. You can use that data to help influence your marketing strategy and to build digital products/services that your customers might want to consume, which, in turn, you can monetize. Your data environment and higher quality data becomes a business asset that can generate returns.
First make a pivotal decision
If you do have California customers and must comply with CCPA, your first move should be to make a strategic scoping decision: should you design a system that complies with CCPA for only Californians or should you build a data management environment that provides these protections and services to all your customers, regardless of whether they come from California?
You must weigh numerous factors. What if you implement just for California residents, and one by one, other states eventually pass similar laws? You’ll have to incur the cost of implementing compliance over and over again. And will your non-California customers take issue that you are providing strong privacy protections to some consumers’ data, but not to theirs?
On the other hand, what if you go full throttle and decide to manage all your customer data in a CCPA-complaint way? You can still recognize that there are California customers, but this might be the time to implement across your data landscape. Doing so means you will incur certain costs to manage your data the way CCPA requires, but you can leverage that investment to better understand and serve all customers. You’ll need to begin by setting up an operational, cost-effective service for managing data for all your customers. As previously mentioned, you’ll also be subject to audit, and the compliance requirements may be rigorous. Which brings you back to the question of whether you want to take on the cost of managing all your customer data the same or make plans to segregate it. Some companies’ legal teams may advise them not to move forward with an all-in approach so quickly.
Also consider how CCPA might change your business model. Ask yourself if you actually need to collect personally identifiable information on your customers? Why are you collecting it? What do you plan to do with the data you collect? Use it internally? Sell it to generate revenue? It’s smart to examine what your data is being used for and if it is necessary. For companies whose business model is to heavily monetize their data, such as Facebook, these regulations may be seen as a threat to their existing business strategy. Those organizations may be understandably resistant to putting too much of their data under this kind of management at this point.
Bottom line, your company needs to thoroughly examine all the legal, regulatory, and business factors in play to come to the right decision for your business.
CCPA compliance checklist
Whatever choice you make, you need to take a data governance-based approach to compliance. Here is a proven checklist or roadmap of six basic steps you need to complete to meet the requirements of CCPA and sustain compliance over time.
Update privacy notices and policies.
Update data management strategy, data inventories, and business processes.
Implement protocols to ensure compliance with consumer rights.
Make security updates.
Update third-party processor agreements.
As you embark on your journey, be mindful of the unofficial best practices that have emerged across industries to define what you need to do to effectively manage customers across industries. If personally identifiable information (PII) is a focus, your data governance and stewardship planning should include a PII roadmap to ensure that compliance will occur.
Also note that Step 6 is critical, since you don’t want to throw all your time and effort out the window if your employees and suppliers don’t actually execute what you have carefully and painstakingly implemented. Organizational change management can be the crucial difference between compliance and financial penalties.
How to develop your customized CCPA plan
Even though you understand CCPA and GDPR and you know your end goal, you still may not know what to do, despite having the checklist in hand.
Fear not. While the checklist explained what will make you compliant, you now need to use a tried-and-true plan (see Figure 2) that tells you how to get there. This plan has been used successfully help organizations achieve GDPA compliance and applies to CCPA compliance, as well. You can employ and customize it as you set up for CCPA compliance.
Note that given the complexities of regulatory compliance, the majority of companies choose to work with someone experienced in the full lifecycle of data. If you choose this route, work with a company that can help you understand how CCPA affects your business and will walk alongside of you in developing an approach, performing an implementation, and successfully managing and advising you to ensure you can sustain compliance.
Start at a point of discovery. For companies early in their data journey who don’t know where to begin, a discovery process helps you understand the data and regulatory landscape and then plan for an approach to address what your compliance activities might be. Ask yourself how familiar you are with the new regulations? What must your business do in order to comply? What kind of timeline are you facing? Where do you stand on data governance and data management? Do you understand the quality and lineage of your data (where it is generated, changed, and stored)? Do you have the capability to change your data (in the case of legacy systems that captured the data years ago)?
Assess and recommend. Perform an audit of your privacy and data management-related program capabilities and assess it against the key requirements of GDPR and CCPA. This will identify where you have gaps and exposure in order to create recommendations to move forward.
Strategize and plan. Your success depends on bringing all relevant business, technology, and compliance stakeholders on board with a comprehensive plan. This includes existing digital, analytics, or data governance teams, to create a cross-functional program capability.
Operate and monitor. Establish an ongoing data governance and privacy compliance monitoring program to promote continued accountability.
An international manufacturing company used this plan to become GDPR compliant. What they learned through the process was that it’s never too early to start preparing. There are many considerations, including how data flows, email processes, notifications of data collection, changes to the user experience, and so much more. It takes a multi-functional team to get ready. In their case, compliance was achieved through a cookie notification, an opt-in email campaign, an opt-in form for data collection, and data is no longer being stored on the website. The process and solution are different for each company, but based on their experience, this client would say don’t wait, prepare now.
Summing it up
CCPA is just another development in a privacy revolution that will ultimately help protect the data generated about each of us. While different generations have different perceptions of privacy, the passing of this regulation signals that the floodgates have been opened in the U.S. for more action.
Larger firms who already have internal risk and compliance teams might have the horsepower to handle the decisions and strategy required, but, as with GDPR compliance, they may still turn to a partner to help implement the recommendations. Execution is key, and compliance with the data categorization and management required by CCPA is not for the faint of heart.
The clock is ticking. It’s time to take action to manage and protect the consumer data in your organization.