California Consumer Privacy Act — widely considered to be the toughest law in the U.S. regulating the collection, storage and use of personal information — went into effect on Jan. 1. Rather than preparing for the CCPA, however, many businesses have taken a wait-and-see approach. This could be a serious mistake.
The new law is similar in many respects to the European Union’s
General Data Protection Regulation, which went into effect last spring. Like the GDPR, the CCPA is expected to have a profound impact on the way businesses collect and protect personally identifiable information (PII) from consumers, with ramifications that likely will spread far beyond the borders of the Golden State.
Although GDPR provided businesses with a relatively long runway of more than 24 months from adoption to imposition of penalties, CCPA incorporates more aggressive time lines.
There are two primary reasons for the shorter time lines. First, as initially drafted and passed last year, the CCPA included several ambiguities in its wording. Further, California’s legislature added six amendments prior to finishing its session on Sept. 13.
Those uncertainties and late-hour changes meant businesses didn’t have a clear set of preparation guidelines for very long before the law went effect on Jan. 1.
The enforcement of penalties will begin on July 1, and businesses that delay the process of becoming compliant with CCPA could find themselves facing serious problems right out of the gate.
What Is the CCPA?
The act creates new rights for California residents regarding access to, deletion of, and sharing of their PII. Key aspects of the CCPA:
- Businesses must disclose their data collection and sharing practices to consumers.
- Consumers have the right to see all the PII a company has collected on them.
- Consumers have the right to request that companies delete their data.
- Consumers have the right to opt out of the sale of or sharing of their personal information.
- Businesses are prohibited from selling the PII of consumers under the age of 16 without explicit consent.
- Consumers have the right to sue a company if the CCPA privacy guidelines are violated, even if there is no data breach.
Why the concern? The CCPA casts a very wide net, which means it will impact a large number of businesses in both the U.S. and abroad. The CCPA establishes broad definitions of the following:
- What data is covered: The CCPA extends to any data item that can identify an individual, including name, address, phone number, email, social media profiles, and URLs.
- Who is covered: The CCPA protects not only consumers who reside in California, but also prospective customers, employees, employees who are also customers, and even vendors and suppliers.
- Which businesses must comply: The CCPA applies to any company that does business with any individual protected by the CCPA. In practice, this means the legislation will impact companies far beyond California and even the U.S.
The CCPA also specifies fines for noncompliance. Businesses have just 30 days to remedy an alleged violation. Any company that fails to do so faces US$2,500 per unintended violation and $7,500 per intended violation. While these fines are nowhere near as stiff as the GDPR penalties levied by the EU, they are nonetheless significant.
What may be worse is the potential social fallout from noncompliance. In this day and age of instant social communication, even perceived negligence around consumer data privacy quickly can create a nightmare scenario for PR and marketing teams.
Imagine the consequences if a customer should post a Facebook update saying, “I called XYZ Company, I asked them to give me my data, and they didn’t help me.” This customer’s social media followers and fans may not only share and comment on this post, but also may take action themselves. It only takes one lawsuit to create lasting damage to a brand’s reputation.
Best Practices for CCPA Compliance
The good news is that it’s not too late to start building a CCPA compliance strategy.
Following are some best practices to consider.
1. Have a Plan
The No. 1 way to get ahead of this new legislation is to create a plan. Leaders in adoption already have this in their wake and currently are executing against a road map encompassing people, process and technology changes required to become compliant.
While the enforcement date is only in July, companies do in fact need to have an answer ready if the phone should ring between now and then. They must know what to say when customers call with concerns about the privacy of their data.
They should be prepared to disclose all data collection, protection and sharing practices. Additionally, they should have a process for managing consent, and for honoring requests to delete data or opt out of data sharing.
2. Evaluate Risk Across All Channels
Companies must be prepared to manage CCPA requests that come in through any channel, online and offline.
The call center is an obvious focus, but requests also may come via social media, email, chat and mobile apps. Every channel of communication is impacted.
3. Test for Readiness
Remember that customer data often is connected to other data, both internally and externally. Deleting customer data in one area of the business may affect operations in other areas, such as finance and marketing.
Conduct end-to-end regression testing and validation to simulate all customer data requests — but particularly data deletion requests. This operational readiness testing will help uncover any internal and external implications that otherwise might have been overlooked.
4. Leverage a Third-Party Tool
Considering that companies typically have customer data stored across multiple systems, compliance with CCPA can be a complex ongoing process. Several tools do exist to help businesses manage the process of becoming CCPA-compliant.
These tools typically address two key components of compliance:
- Workflow and business process management: These tools help companies field incoming requests and manage the workflows associated with internal approvals, customer notifications, customer communications, and the packaging of the results of the CCPA requests.
- Data discovery and data management: These tools help companies scan their systems, identify where personal data is held, and implement controls to ensure the proper protection of the data (which may include access, encryption and monitoring).
Across the board, it’s highly likely that the CCPA will become the benchmark that other states will use when developing their own data privacy laws. It may even become the template for a future U.S. federal privacy law.
The potential impact cannot be overstated. Even if a company has no customers in California, this legislation likely will affect how every business collects, stores and shares personal data eventually — which means the time to start thinking about compliance is now.