Sep 1, 2020
It’s official. As of July 1, 2020, California began enforcing its California Consumer Protection Act (CCPA), meaning complacency about protecting consumer data is no longer an option in the U.S. CCPA regulates how companies that do business with California residents must handle their data. If you don’t comply, you’ll face some hefty fines. The type of compliance required for security, transparency, data sharing, and data lifecycle management under CCPA is not for the faint of heart. Execution is key, and that’s where our experienced team can help you. In this article, we’ll explain what CCPA means to you, how all this came about, what you should consider, and how you can ensure CCPA compliance. We’ll even give you a checklist that details what you need to have done and a plan for you to move forward. You’ll gain some valuable insights about the E.U.’s General Data Protection Regulation (GDPR), which preceded CCPA. It’s important to understand what transpired there so you’ll know what to expect in the U.S., including the issues companies are facing. If you already have a firm grasp of what CCPA means and how it came about, skip to the “Checklist: 6 Steps to CCPA Compliance” section. That explains what will make you compliant. To get right to the action plan, skip to “How to develop your customized CCPA plan,” which gives you the time-tested formula for how to become compliant. 2020 CCPA update The actual regulations that you must abide by for CCPA were finalized in mid-summer 2020, nearly two years after the act became a law. And now enforcement is upon us, meaning businesses need to quickly ensure they are compliant with the final regulations. Numerous businesses and groups did band together to ask the California attorney general to defer enforcement because of the strain the pandemic has put on resources, but that went nowhere. Already in 2020, 27 data breaches that were reported to the attorney general have moved to litigation surrounding CCPA non-compliance. What are CCPA regulations? Let’s go back to the beginning. The June 2018 passage of the California Consumer Protection Act (CCPA) created new rules about how certain companies must handle California residents’ data. Who is affected? Any organization that conducts business in California, markets to California residents, has customers in California, or collects any data about California residents. Why GDPR and CCPA? A new compliance landscape The digital world has created many new frontiers, and massive data collection is one. It started in an unregulated, anything-goes kind of way, then ramped up as companies began to digitally acquire consumer data to pursue the personalization of messaging. Much of this personal data, which has been (and is being) captured about each of us, is stored, shared, sold, and too often compromised in a preponderance of data breaches. With so many moving parts and widely publicized negative consequences to the sharing of personal data, it’s no wonder that the pendulum has swung toward privacy and regulation. Enter the European Union’s (EU’s) General Data Protection Regulation (GDPR), which went live in May 2018 to create protections for EU citizens and businesses. GDPR enables individuals to have a say in how or if their data will be used, and they must opt in to consent to the selling of their data. Any public or private organizations that do business with European citizens, whether based in the EU or not, are regulated by GDPR. This means many American corporations that will be affected by CCPA may have already undergone a transition to adapt to meet GDPR guidelines. This brings us to CCPA. Sometimes called America’s GDPR, CCPA was passed in June 2018, just one month after GDPR went live. CCPA is a bit different from its European counterpart. CCPA broadens the definition of personal data and includes individuals in a household. The law also defines data “selling” (which has a much broader meaning than you’d think) and allows consumers to opt out of the sale of their personal data though a mandatory “Do not sell my personal information” link on the homepage of the business’ website. But there are other important differences, as well. Let it be noted that nearly half the states have already proposed data privacy legislation, which would create a patchwork of compliance regulations state by state. As a result, it’s widely speculated that some sort of federal legislation will evolve in a year or two. If that does not transpire, we may see a regulatory environment similar to insurance, where consumer data protection laws are regulated state by state. If that occurs, businesses would need compliance teams who understand each state’s regulations. CCPA penalties and fines Penalties imposed by both GDPR and CCPA are based on your company’s size, revenue, and such, so large firms face penalties that are orders of magnitude greater than for medium-sized firms. With GDPR, regulators can assess fines as high as 4% of a company’s annual revenue. Two notable cases of hefty fines after data breaches include one proposed in July 2019 against Marriott that is 2.5% of the company’s global revenue and another against British Airways that is 1.5% of its revenues. Both companies are contesting the fines, but it’s prudent to watch GDPR events unfold and apply those lessons to CCPA. CCPA law at a high level Without going into too much detail, here are some critical CCPA requirements. At or before collecting data, organizations must indicate to consumers the categories of personal information they collect, disclose, or sell. Consumers have the right to see what personal information is being collected, disclosed, or sold and can request the company delete their data or stop selling/disclosing it within 45 days. California residents have a right to take legal action up to certain dollar amounts when non-encrypted or non-redacted personal information is compromised. Organizations can’t give deferential treatment, such as better pricing or services, to consumers who agree to share their personal information over consumers who don’t. Organizations need to know where their consumer data comes from, how it is used, and where it is going, and they must track any selling of personal information. Organizations must ensure that suppliers, vendors, and other third parties with which they share consumer data can also respond to consumer requests to delete or stop selling their data. This includes cloud providers. How does this apply to me? Generate business value through compliance So how does all that apply to your specific organization? Whether or not you’re at the starting point of your data compliance journey, CCPA presents you with an opportunity. Even if your company falls under rigorous regulatory compliance requirements, meaning you have already put in place the appropriate controls, technology, and data management capabilities to demonstrate in an audit that you can effectively comply, all those measures are defensive. If you don’t have things under control already, CCPA should put a fire under you to line up your efforts in compliance, data management, and data governance in an offensive way. At some point, every company will fall under such legislation, so it’s time to better develop your data environment and to create higher quality, well-managed data that is fit for purpose and can contribute to revenue generating efforts. You can use that data to help influence your marketing strategy and to build digital products/services that your customers might want to consume, which, in turn, you can monetize. Your data environment and higher quality data become business assets that can generate returns. Make a pivotal decision at the very beginning If you do have California customers and must comply with CCPA, you may have already made a strategic scoping decision: should you design a system that complies with CCPA for only Californians or should you build a data management environment that provides these protections and services to all your customers, regardless of whether they come from California? Hopefully, you weighed numerous factors. What if you implemented just for California residents, and one by one, other states eventually pass similar laws? You’d have to incur the cost of implementing compliance over and over again. And would your non-California customers take issue that you are providing strong privacy protections to some consumers’ data, but not to theirs? On the other hand, what if you went full throttle and decided to manage all your customer data in a CCPA-complaint way? You could still recognize that there are California customers, but this might be the time to implement across your data landscape. If you went that route, you would incur certain costs to manage your data the way CCPA requires, but you could leverage that investment to better understand and serve all customers. If you haven’t already, you need to set up an operational, cost-effective service for managing data for all your customers. As previously mentioned, you’d be subject to audit, and the compliance requirements are rigorous. Which brings you back to the question of whether you chose to take on the cost of managing all your customer data the same or make plans to segregate it. Some companies’ legal teams advised them not to move forward with an all-in approach so quickly. Also consider how CCPA may have changed your business model. Does your company actually need to collect personally identifiable information on your customers? Why are you collecting it? What do you plan to do with the data you collect? Use it internally? Sell it to generate revenue? It’s smart to examine what your data is being used for and if it is necessary. For companies whose business model is to heavily monetize their data, such as Facebook, these regulations may be seen as a threat to their existing business strategy. Those organizations may be understandably resistant to putting too much of their data under this kind of management at this point. Bottom line, make sure your company has thoroughly examined all the legal, regulatory, and business factors in play to come to the right decision for your business. Our Checklist: 6 steps to CCPA compliance Whatever choice you made, you needed to take a data governance-based approach to compliance. Here is a proven checklist or roadmap of six basic steps you should have completed by now to meet the requirements of CCPA and sustain compliance over time. Take a look to ensure you’ve got it covered. Update privacy notices and policies. Update data management strategy, data inventories, and business processes. Implement protocols to ensure compliance with consumer rights. Make security updates. Update third-party processor agreements. Provide training. As you embark on your journey, be mindful of the unofficial best practices that have emerged across industries to define what you need to do to effectively manage customers across industries. If personally identifiable information (PII) is a focus, your data governance and stewardship planning should include a PII roadmap to ensure that compliance will occur. Also note that Step 6 is critical, since you don’t want to throw all your time and effort out the window if your employees and suppliers don’t actually execute what you have carefully and painstakingly implemented. Organizational change management can be the crucial difference between compliance and financial penalties. How to develop your customized CCPA plan Even though you understand CCPA and GDPR and you know your end goal, you still may be concerned, despite having the checklist in hand and process underway. Fear not. While the checklist explained what will make you compliant, you now need to use a tried-and-true plan that tells you how to get there. This plan has been used successfully to help organizations achieve GDPA compliance and applies to CCPA compliance, as well. You can employ and customize it as you set up for CCPA compliance. Given the complexities of regulatory compliance, the majority of companies choose to work with someone experienced in the full lifecycle of data. If you chose this route but aren’t sure if it was the right way to go, work with a company that can help you understand how CCPA affects your business and who will walk alongside of you in evaluating your approach, performing or evaluating your implementation, and successfully managing and advising you to ensure you can sustain compliance. If you need help in this area, let’s chat. Discover and analyze. For companies early in their data journey who don’t know where to begin, a discovery process helps you understand the data and regulatory landscape and then plan for an approach to address what your compliance activities might be. Ask yourself how familiar you are with the new regulations. What must your business do in order to comply? What kind of timeline are you facing? Where do you stand on data governance and data management? Do you understand the quality and lineage of your data (where it is generated, changed, and stored)? Do you have the capability to change your data (in the case of legacy systems that captured the data years ago)? Assess and recommend. Perform an audit of your privacy and data management-related program capabilities and assess it against the key requirements of GDPR and CCPA. This will identify where you have gaps and exposure in order to create recommendations to move forward. Strategize and plan. Your success depends on bringing all relevant business, technology, and compliance stakeholders on board with a comprehensive plan. This includes existing digital, analytics, or data governance teams, to create a cross-functio