Data privacy regulations are now sprouting up in regions, countries, and even individual states worldwide. The next challenge in line for many GRC professionals? Achieving CCPA compliance.
In 2018, California enacted its own comprehensive privacy law, the California Consumer Privacy Act (CCPA), set to go into effect on January 1, 2020. With the fifth-biggest economy in the world, California is impossible to ignore for many marketers, so CCPA compliance is mandatory if they want to keep tapping the riches of the Golden State.
The CCPA was drafted to protect consumer rights and drive stronger transparency and privacy protection when it comes to their personal information. Californians will now have a right to know what personal data is collected, if it’s being shared, whom it’s being shared with, and can opt out of any sale of their data.
They’ll also have the right to access the data themselves and ask it be deleted. Companies can’t sell personal data of consumers aged 13-16 unless they opt-in, and parents or guardians will have to consent to the selling of data for youngsters under 13.
Not a twin of the GDPR
A key difference between the EU’s General Data Protection Regulation (GDPR) and the CCPA, however, lies in that area of consent: The California law doesn’t require user consent to collect the data in the first place, or process it. A company can collect data just as it did before the CCPA, but must give consumers that opportunity to opt-out.
The GDPR, on the other hand, demands explicit consent from consumers or from wherever the data is being gathered, and businesses must thoroughly document the entire chain of consent.
There are other differences between the two: The CCPA applies to California residents, while the GDPR refers to “EU data subjects” without specifying residency or citizenship. The CCPA also protects data linked to specific households; the GDPR applies only to individuals.
Also, the GDPR applies to any business that’s collecting and processing the data of those “subjects,” regardless of its location. The CCPA states that its jurisdiction applies only to companies that are “doing business in California,” but doesn’t provide further definition.
And while the GDPR applies to all enterprises, public and private alike, the CCPA restricts itself to for-profit firms that gross above $25 million per year, deal in the personal data of 50,000 or more consumers, and derive half their revenue from selling that data. That shrinks the pool – considerably.The particulars of the CCPA may shift further by the time it goes into law. There are multiple amendments threading their way through the California legislature that may impact various aspects of the final regulations.
CCPA compliance may be a competitive advantage
Both the GDPR and the CCPA unlock consumer visibility into the personal data being held by the companies who have collected it. Those firms must not only provide that access but detail exactly what they’re doing with the data.
Delivering this transparency as part of CCPA compliance may not be a disadvantage to companies, though. In fact, it might very well prove to be the total opposite. Research done after the imposition of the GDPR found 62% of UK consumers felt more comfortable sharing their personal information after it went into law. By showing they’re compliant, companies can get out in front of what’s become a seismic shift in consumer attitudes, where transparency is what drives trust.
Three challenges in reaching CCPA compliance
For GRC professionals and data privacy wardens at companies that want to keep “doing business” in California, then, there are three challenges they need to address. And pretty quickly, too.
Determining your need for compliance
Before all else, a company needs to determine whether or not they actually fall within the scope of the CCPA. When the GDPR was first announced, many non-EU businesses thought they were outside its purview: “We aren’t based in the EU, or have a sales or marketing office there. So we’re exempt.” Which was a mistake that, fortunately for them, hasn’t been reflected in fines or other penalties for non-compliance – yet.
In the case of the CCPA, the stated guidelines about company size and the amount of data they handle make it easier for some enterprises to recognize whether or not they should comply. However, there are finer points of the law that may sting a company that isn’t paying attention to how its marketing team, its outside agencies and vendors, and consumer engagement practices are gathering data.
For instance? As currently drafted, the CCPA protects the information of California residents, and its rules apply even when they’re outside the state line. So despite how you’ve cleverly geofenced a mobile website so it only gathers data from a Los Angeles resident when s/he’s on a junket to Vegas or New York, you’re still in violation.
This means auditing all the campaigns, websites, social channels, or other engagement tools in your company’s inventory to understand if they’re meeting all the requirements of the CCPA. It also means embedding CCPA compliance in your business processes – but more on that in a future post.
How soon should a company begin taking steps toward CCPA compliance? The real question is, why hasn’t it already begun getting ready?
As one executive remarked to CIO about his firm’s preparations for the GDPR, “I would have done with data what I’ve always preached with agile and DevOps. I would have gotten ahead of the problem because the only easy day was yesterday.”
The complexities involved in CCPA compliance may be just as big, for some companies, as those they were confronted with before the arrival of the GDPR. Beforehand, many did not have a real grasp of the intricacies of their own systems and processes, or of the difficulty involved in making them compliant.
So the challenge here is for a company’s GRC leaders? To overcome any internal inertia that’s delaying compliance efforts. One issue may be that some stakeholders who say the company meet GDPR requirements may think it’s a matter of figuratively flipping a few switches to reach CCPA compliance. But they should be shown it’s not that simple. On the bright side? Companies can apply many of the lessons learned in 2017-18 to putting the right processes and policies in place this time around, so they’re prepped for 2020.
Another concern? Not getting cocky. One new survey found that 71% of legal and privacy professionals felt they’d be ready for the CCPA in seven months. However, the same study found they were still struggling to meet the demands of GDPR, for reasons we’ll go into below.
Becoming agile at data privacy compliance
A company might try to attain CCPA compliance using traditional systems and processes. It’s Titanic versus the iceberg, but they could possibly avoid disaster.
The problem is that there are even more icebergs on the way.
The GDPR was only the start, and the CCPA is the sequel. There’s a slate of new state data privacy laws in store, owing in large part to the failure of the federal government to deliver an inclusive set of regulations. These laws have been introduced in nine US states. Six of those proposals are patterned on the CCPA, while the others are less stringent. In at least one case, however, WIRED points out how the CCPA is being left in the dust:
The New York Privacy Act, introduced last month by state senator Kevin Thomas, would give residents there more control over their data than in any other state. It would also require businesses to put their customers’ privacy before their own profits.
That’s on top of the already-enacted NYSDFS regulations mandating data security compliance in the financial services sector.
For a company operating in multiple states (let alone other countries), the enormity of the challenge is clear: How can they remain compliant in this patchwork regulatory landscape?
In the DataGrail study mentioned above, legal and privacy professionals said they were still managing regulations on a case-by-case basis. Half of them were still relying on manual processes to handle GDPR privacy rights requests, where dozens of employees were involved, creating “thousands of touch points with the potential to introduce human error,” as the report puts it.
Half of the companies in a new DataGrail study were still relying on manual processes to handle GDPR privacy rights requests.
Imagine the sheer mayhem and waste of trying to manage another five, ten, or more sets of state regulations that way.
Coping with this will demand a level of cultural and technological agility and sophistication that may be alien to many of these businesses. Yet highly proactive, flexible, and centrally governed compliance structures will have to be set in place. Operational processes and toolsets must be built around a DNA of legality, compliance and policy management, allowing a company to successfully go to market by efficiently adapting to every separate set of regulations. This is far from impossible, as anyone in the insurance industry can tell you, and there are already tools for making it happen.
CCPA compliance: Building for what’s next
For better or worse, data privacy concerns and laws to address them are going to be with us until…well, possibly forever. For that, we can thank the growth of digital media, the Internet of Things, AI, and the corresponding need to protect personal information in a world where that data is increasingly at risk.
But GRC professionals should take heart: Putting the proper systems and culture in place to achieve CCPA compliance today creates an efficient, durable, and flexible framework. It’s one you can build upon not only for dealing with the next round of regulations, but for grappling with whatever new data privacy challenges arrive after that.
Webinar: Navigating Data Privacy for Legal Operations
Watch two leading experts as they show how to implement processes for reducing data privacy risk in a patchwork regulatory environment.