TrustArc CEO Chris Babel highlights findings and themes from a recent report on the California Consumer Privacy Act and offers guidance on building an effective program for those organizations still at work on CCPA compliance.
The European Union’s (EU) General Data Protection Regulation (GDPR) and a host of other regulations have elevated privacy compliance to the top of global business priority lists. Now, organizational leaders are turning their attention to the California Consumer Privacy Act (CCPA). The CCPA, with its January 1, 2020 enforcement date, is the toughest U.S. privacy regulation to date. Almost every organization that does business in California or handles personal information of California citizens will feel its impact.
Research commissioned by TrustArc — of 250 U.S. privacy professionals from February 15 to 27, 2019 — through Dimensional Research found that for the vast majority (more than 86 percent) of respondents, CCPA compliance is still a work in progress. Yet organizations should not simply work to check compliance off their list. Businesses constantly change, and leaders must develop privacy and compliance programs that can change with the business.
Build Ongoing Compliance; Don’t Check a Box
Many organizations are investing in CCPA compliance either to meet customer, partner or other third-party expectations (62 percent) or to meet internal reporting requirements (45 percent). Viewing compliance from the point of view of checking off a box can be harmful to an organization’s long-term compliance outlook.
Instead, companies should view compliance as an ongoing part of their business strategy by implementing processes to maintain compliance and leveraging technology tools to manage those processes. For some companies, GDPR preparation has offered a window into some of these practices.
Past Experience Gives Some a Leg Up
Organizations that use lessons from GDPR and treat CCPA privacy management as a critical component of future growth are more likely to outpace their competitors in building customer trust and market share. The total CCPA compliance rate is 14 percent of respondents; just 6 percent of respondents that did not work to comply with GDPR are CCPA compliant. Furthermore, 50 percent of respondents say they will leverage more than half of their GDPR programs for CCPA compliance.
Preparing for regulations that already exist has been helpful, if leaders take the right lessons to heart. However, organizations would be wise not to build compliance processes for one specific law in hopes they can reuse part of their efforts should additional laws arise. Instead, whether GDPR has provided them a leg up or not, leaders must ingrain compliance into their company’s culture. Organizations that use CCPA preparation as a way to build a scalable compliance process will achieve compliance and competitive advantage.
Heavy Investments Mean Compliance Must Scale
Creating privacy at scale will be the best path forward for any organization as it contends with the changing regulatory risk landscape. The more innovative companies will look to differentiate themselves from their competition by setting up ethical review committees, ethics teams and data ethics officers to formally consider the implications of algorithms and machine learning on customer trust and business outcomes. Establishing these processes and investing in technology tools and people to build privacy compliance will require heavy capital investments.
Nearly three-quarters (71 percent) of organizations are spending $100,000 or more on CCPA readiness. Nineteen percent are spending $1 million or more. To prepare themselves to meet the CCPA mandate, business leaders are investing this money mainly in technology and tools, consultants, external legal expertise and internal hiring.
Respondents’ three biggest needs show that, while companies are concerned with CCPA specifically, many of their requirements are more general. Of the data privacy tasks for which companies need additional help, conducting privacy risk assessments, developing a CCPA privacy plan and assessing international data transfers are listed by the largest proportions of respondents.
Many of the other tasks with which companies need assistance are broadly applicable to privacy mandates more generally. It’s clear the investments companies make in privacy will be too heavy for these programs not to scale to meet the demands of other, future regulations. The ways in which companies plan to expend their resources on privacy suggest that those that focus on more adaptable, scalable and broadly applicable privacy and compliance programs will be more likely to succeed as the compliance landscape evolves.
Rather than check CCPA off their to-do lists, organizations should instead make the leap from reactive to proactive by building efficient, scalable processes from the ground up and using technology to automate some of those processes. Taking a proactive approach to privacy will help conserve the budget and create a lasting competitive edge.