The California Consumer Privacy Act will go into effect in just over three months, and the time to prepare is now. Mitratech’s Steven O’Donnell discusses how the CCPA compares with and differs from the GDPR and outlines how to get started on the path to compliance.
A GRC professional would probably have to be sleeping under a Cali-sized rock to not be aware of the next compliance challenge on the (near) horizon: the California Consumer Privacy Act (CCPA), set to go into effect on January 1, 2020.
CCPA compliance is significant for several reasons. It’s the first major regional data privacy law to go into effect on the heels of the GDPR, presenting a new test for the compliance infrastructures of companies that may have already weathered the EU legislation.
Another is that while it’s only a “state” regulatory initiative, it’s for the U.S. state with the fifth-largest economy in the world, so doing business in California means a business has to be ready to vault the CCPA’s hurdles.
What’s Involved in the CCPA?
California residents will now be able to demand to know what persona data of theirs is being collected, if it’s shared and who it’s shared with, and then opt out of any sale of said personal data.
They’ll have a right to access that data and ask for its deletion, and companies will be unable to sell the data of 13- to 16-year-olds without their opt-in. Selling the data of anyone under 13 is out, unless there’s parental or guardian consent.
That area of consent illustrates a key difference between the CCPA and the GDPR. The latter requires explicit user consent to collect personal data, and businesses must document the entire chain of consent, whereas the California law does not. Companies that have been collecting data on Californians before the CCPA goes into effect can continue to do so, but must give consumers the chance to opt out.
Another distinction between the two? The CCPA applies to “California residents,” while the GDPR applies to what it terms “EU data subjects,” but doesn’t specify their citizenship or residency. The GDPR applies to individuals only, while the CCPA’s safeguards apply to households.
The GDPR also applies to any enterprise that is collecting and processing the data of “EU data subjects” irrespective of a company’s location, while the CCPA only speaks to companies that are “doing business in California,” though there’s little extra definition about what that means.
Moreover, the GDPR encompasses all data-gathering organizations, whether in the private or public sector. The CCPA only applies to for-profit businesses grossing over $25 million per year that deal in the personal data of 50,000 or more consumers and that derive half of their revenue from sales of that data.
The CCPA, though, isn’t yet set in stone. Multiple amendments are being considered by the California legislature, some of them intended to clarify the ambiguities of the original bill touched on above.
Profiting By Compliance in an Era of Data Privacy
There are already companies profiting from the CCPA, such as consent platform providers who promise to help marketers maintain compliant digital footprints. They’re trading on the notion that demonstrating compliance to consumers helps build trust between audiences and brands, and this trust is the new currency of digital relationships.
There’s evidence that’s exactly the right tact to take. After the GDPR went into effect, studies found that 62 percent of U.K. consumers now felt more comfortable sharing personal data with brands. Compliance, then, provides a way for marketers to capitalize on the sea-change that’s underway in consumer attitudes toward data sharing and transparency.
So for GRC professionals who want to keep tapping into the California market via digital marketing and consumer data, there are some key challenges ahead they should tackle. And by “ahead,” I mean they should be taking the right steps right now.
Getting Your Compliance Efforts in Gear
When should an enterprise be moving toward CCPA compliance? One executive told CIO, “I would have done with data what I’ve always preached with agile and DevOps…
“I would have gotten ahead of the problem, because the only easy day was yesterday.”
In other words, if you’re not already making moves, you’re already behind the curve. Some companies may feel the CCPA isn’t that big a concern because they’ve already dealt with GDPR compliance, but there may be just as many fresh complexities in meeting the new regulations as there were in satisfying the EU ones. Before they got underway, many companies had no idea of the issues they had buried in their own processes and platforms that had to be reconciled before they were able to claim GDPR compliance. Who’s to say they’re immune to the same inertia when it comes to the CCPA?
But the processes, tools and procedures they applied to GDPR compliance may be applicable to the CCPA; it’s simply a matter of having a sense of urgency about adapting them to the new challenge – or to the challenges that will come afterward, as we’ll see.
Even if you’re confident about your compliance posture, it may be misleading. One survey found that 71 percent of legal and privacy professionals felt they’d be ready for the CCPA, yet the same research revealed many of the same respondents were still struggling with GDPR compliance. Why? We’ll get to that, too.
Grasping Your Compliance Demands
The first stage of your CCPA compliance initiative? Determining whether or not you actually need to be compliant.
When it comes to the CCPA, the guidelines regarding company size and the amount of data transacted can clearly show a company whether or not they should take compliance steps. But there are multiple details they need to consider, too, especially if they’re working with marketing agencies, list brokers or other third parties who might be dealing in consumer data.
When the GDPR was proposed, non-EU enterprises felt they were exempt because they didn’t have an EU unit or sales effort underway, but the simple act of even inadvertently gathering data from EU residents left them liable.
Here’s an example of one of those CCPA nuances: As drafted, the law protects California residents even if they’re outside the state’s borders. A data collector who is gathering data from a Californian when they’re on a trip to Denver, for instance, may think they’re being clever, but they’re still violating the law. Situations like this demand that you audit every process, campaign, channel or vendor action touching on data collection to be certain they’re in compliance.
Installing Compliance-Oriented Processes
Becoming compliant with the CCPA is possible, one supposes, using traditional processes and systems. It’s akin to trying to teach an elephant tap-dancing: It might happen, but disaster is bound to arise sometime. The problem? There are too many new steps ahead that you’ll need to learn – and quickly.
The GDPR was only the beginning, and the CCPA is a continuation of the trend toward more data privacy legislation in more regions. The failure of the U.S. federal government to deliver an inclusive set of regulations has led to a burst of individual state initiatives, currently represented by nine states with their own sets of laws. Six are patterned on the CCPA, while the others are less stringent. But in one case – the New York Privacy Act – the Empire State has felt obliged to go beyond California in terms of giving consumers control over their data. Their law is explicit about how companies need to put individual data privacy rights ahead of their own right to make a profit.
So, how can a company navigate this crazy quilt of regulations? The study touched on above pointed out how legal and privacy professionals were still taking a case-by-case approach to managing these challenges, with no less than half of them still dependent on manual processes to handle privacy requests under the GDPR. That can involve dozens of employees in a given company; as the study reminds us, that can result in “thousands of touch points with the potential to introduce human error.” Only one of those errors could create a noncompliance situation where substantial penalties might be incurred.
Picture, if you will, a situation when a company is attempting to manage another half-dozen or more sets of state data privacy regulation using these hands-on processes. Or what might happen if they’re operating on a global footing, coping with national or regional variants? The mayhem and waste of resources will only escalate.
If ever there was a scenario compelling the adoption of new technological solutions to drive greater GRC management agility and a cultural embrace of compliance within an organization, this is it. New tools must be adopted, supporting a shift in operational execution of data-related processes, so a company can confidently cope with every separate brace of regulations and with the amendments and modifications sure to come within each.
As anyone who’s worked in the insurance or financial services sectors can tell you, this is entirely feasible. There are, in fact, tools and techniques available for legal departments and GRC teams that can make it a reality by automating and rationalizing the workflows that are essential to effective compliance.
Taking a (Very) Long View
Like it or not, the consumer demand for greater data privacy protections and transparency on the part of business is going to be a constant both today and well into the future. In a world where black hat hacks of consumer data are regularly in the headlines, nobody should be surprised.
Yet the silver lining here owes to the upside a company can create for itself by installing an efficient, resilient and flexible compliance framework and set of agile processes that empower it to manage not only the next round of data privacy regulations, but whatever lies beyond those.
By attending to consumer concerns about data privacy, they’re investing in trust-building with their audience. Thus, their expenditures for these new tools and processes will be far from sunk costs, but sound investments in stronger future relationships between brand and customer – and in profits.