No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

How Can Improved Processes Drive CCPA Compliance?

What Companies Need to Know About the California Consumer Privacy Act

by Steven O'Donnell
August 15, 2019
in Data Privacy
profile of california in binary code on black background

The California Consumer Privacy Act will go into effect in just over three months, and the time to prepare is now. Mitratech’s Steven O’Donnell discusses how the CCPA compares with and differs from the GDPR and outlines how to get started on the path to compliance.

A GRC professional would probably have to be sleeping under a Cali-sized rock to not be aware of the next compliance challenge on the (near) horizon: the California Consumer Privacy Act (CCPA), set to go into effect on January 1, 2020.

CCPA compliance is significant for several reasons. It’s the first major regional data privacy law to go into effect on the heels of the GDPR, presenting a new test for the compliance infrastructures of companies that may have already weathered the EU legislation.

Another is that while it’s only a “state” regulatory initiative, it’s for the U.S. state with the fifth-largest economy in the world, so doing business in California means a business has to be ready to vault the CCPA’s hurdles.

What’s Involved in the CCPA?

California residents will now be able to demand to know what persona data of theirs is being collected, if it’s shared and who it’s shared with, and then opt out of any sale of said personal data.

They’ll have a right to access that data and ask for its deletion, and companies will be unable to sell the data of 13- to 16-year-olds without their opt-in. Selling the data of anyone under 13 is out, unless there’s parental or guardian consent.

That area of consent illustrates a key difference between the CCPA and the GDPR. The latter requires explicit user consent to collect personal data, and businesses must document the entire chain of consent, whereas the California law does not. Companies that have been collecting data on Californians before the CCPA goes into effect can continue to do so, but must give consumers the chance to opt out.

Another distinction between the two? The CCPA applies to “California residents,” while the GDPR applies to what it terms “EU data subjects,” but doesn’t specify their citizenship or residency. The GDPR applies to individuals only, while the CCPA’s safeguards apply to households.

The GDPR also applies to any enterprise that is collecting and processing the data of “EU data subjects” irrespective of a company’s location, while the CCPA only speaks to companies that are “doing business in California,” though there’s little extra definition about what that means.

Moreover, the GDPR encompasses all data-gathering organizations, whether in the private or public sector. The CCPA only applies to for-profit businesses grossing over $25 million per year that deal in the personal data of 50,000 or more consumers and that derive half of their revenue from sales of that data.

The CCPA, though, isn’t yet set in stone. Multiple amendments are being considered by the California legislature, some of them intended to clarify the ambiguities of the original bill touched on above.

Profiting By Compliance in an Era of Data Privacy

There are already companies profiting from the CCPA, such as consent platform providers who promise to help marketers maintain compliant digital footprints. They’re trading on the notion that demonstrating compliance to consumers helps build trust between audiences and brands, and this trust is the new currency of digital relationships.

There’s evidence that’s exactly the right tact to take. After the GDPR went into effect, studies found that 62 percent of U.K. consumers now felt more comfortable sharing personal data with brands. Compliance, then, provides a way for marketers to capitalize on the sea-change that’s underway in consumer attitudes toward data sharing and transparency.

So for GRC professionals who want to keep tapping into the California market via digital marketing and consumer data, there are some key challenges ahead they should tackle. And by “ahead,” I mean they should be taking the right steps right now.

Getting Your Compliance Efforts in Gear

When should an enterprise be moving toward CCPA compliance? One executive told CIO, “I would have done with data what I’ve always preached with agile and DevOps…

“I would have gotten ahead of the problem, because the only easy day was yesterday.”

In other words, if you’re not already making moves, you’re already behind the curve. Some companies may feel the CCPA isn’t that big a concern because they’ve already dealt with GDPR compliance, but there may be just as many fresh complexities in meeting the new regulations as there were in satisfying the EU ones. Before they got underway, many companies had no idea of the issues they had buried in their own processes and platforms that had to be reconciled before they were able to claim GDPR compliance. Who’s to say they’re immune to the same inertia when it comes to the CCPA?

But the processes, tools and procedures they applied to GDPR compliance may be applicable to the CCPA; it’s simply a matter of having a sense of urgency about adapting them to the new challenge – or to the challenges that will come afterward, as we’ll see.

Even if you’re confident about your compliance posture, it may be misleading. One survey found that 71 percent of legal and privacy professionals felt they’d be ready for the CCPA, yet the same research revealed many of the same respondents were still struggling with GDPR compliance. Why? We’ll get to that, too.

Grasping Your Compliance Demands

The first stage of your CCPA compliance initiative? Determining whether or not you actually need to be compliant.

When it comes to the CCPA, the guidelines regarding company size and the amount of data transacted can clearly show a company whether or not they should take compliance steps. But there are multiple details they need to consider, too, especially if they’re working with marketing agencies, list brokers or other third parties who might be dealing in consumer data.

When the GDPR was proposed, non-EU enterprises felt they were exempt because they didn’t have an EU unit or sales effort underway, but the simple act of even inadvertently gathering data from EU residents left them liable.

Here’s an example of one of those CCPA nuances: As drafted, the law protects California residents even if they’re outside the state’s borders. A data collector who is gathering data from a Californian when they’re on a trip to Denver, for instance, may think they’re being clever, but they’re still violating the law. Situations like this demand that you audit every process, campaign, channel or vendor action touching on data collection to be certain they’re in compliance.

Installing Compliance-Oriented Processes

Becoming compliant with the CCPA is possible, one supposes, using traditional processes and systems. It’s akin to trying to teach an elephant tap-dancing: It might happen, but disaster is bound to arise sometime. The problem? There are too many new steps ahead that you’ll need to learn – and quickly.

The GDPR was only the beginning, and the CCPA is a continuation of the trend toward more data privacy legislation in more regions. The failure of the U.S. federal government to deliver an inclusive set of regulations has led to a burst of individual state initiatives, currently represented by nine states with their own sets of laws. Six are patterned on the CCPA, while the others are less stringent. But in one case – the New York Privacy Act – the Empire State has felt obliged to go beyond California in terms of giving consumers control over their data. Their law is explicit about how companies need to put individual data privacy rights ahead of their own right to make a profit.

So, how can a company navigate this crazy quilt of regulations? The study touched on above pointed out how legal and privacy professionals were still taking a case-by-case approach to managing these challenges, with no less than half of them still dependent on manual processes to handle privacy requests under the GDPR. That can involve dozens of employees in a given company; as the study reminds us, that can result in “thousands of touch points with the potential to introduce human error.” Only one of those errors could create a noncompliance situation where substantial penalties might be incurred.

Picture, if you will, a situation when a company is attempting to manage another half-dozen or more sets of state data privacy regulation using these hands-on processes. Or what might happen if they’re operating on a global footing, coping with national or regional variants? The mayhem and waste of resources will only escalate.

If ever there was a scenario compelling the adoption of new technological solutions to drive greater GRC management agility and a cultural embrace of compliance within an organization, this is it. New tools must be adopted, supporting a shift in operational execution of data-related processes, so a company can confidently cope with every separate brace of regulations and with the amendments and modifications sure to come within each.

As anyone who’s worked in the insurance or financial services sectors can tell you, this is entirely feasible. There are, in fact, tools and techniques available for legal departments and GRC teams that can make it a reality by automating and rationalizing the workflows that are essential to effective compliance.

Taking a (Very) Long View

Like it or not, the consumer demand for greater data privacy protections and transparency on the part of business is going to be a constant both today and well into the future. In a world where black hat hacks of consumer data are regularly in the headlines, nobody should be surprised.

Yet the silver lining here owes to the upside a company can create for itself by installing an efficient, resilient and flexible compliance framework and set of agile processes that empower it to manage not only the next round of data privacy regulations, but whatever lies beyond those.

By attending to consumer concerns about data privacy, they’re investing in trust-building with their audience. Thus, their expenditures for these new tools and processes will be far from sunk costs, but sound investments in stronger future relationships between brand and customer – and in profits.


Tags: California Consumer Privacy Act (CCPA)
Previous Post

GDPR Fallout for U.S. Companies – What’s Next: Employee-Related GDPR Violations

Next Post

New DOJ Guidance: Credit for Compliance Program in Cartel Investigations

Steven O'Donnell

Steven O'Donnell

Steven O’Donnell is Head of Product Marketing – Legal Operations at Mitratech. Steven has a wealth of knowledge and experience about the challenges facing legal professionals. A regular speaker at industry events and webinars, he provides in-depth insight into how technology is transforming the legal industry.

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

by Maria D'Avanzo
September 28, 2022

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in...

snooping on private data

Survey: Leaders Claim to Be Ready for State Privacy Laws; Few Actually Are.

by Staff and Wire Reports
June 29, 2022

With state laws looming, where do companies actually stand today? A Womble Bond Dickinson survey examined current corporate preparedness along...

Vector of a cybersecurity worker monitoring servers.

Cybersecurity in 2022: More Acceleration, More Sophistication

by Mathieu Gorge
January 19, 2022

In 2022, nations and organizations around the world will continue working to protect customer data against hackers and accidental breaches....

Next Post
baggie of white powder and knife on black background

New DOJ Guidance: Credit for Compliance Program in Cartel Investigations

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT