CCPA: Business Threat or Opportunity?
In less than two months, the California Consumer Protection Act (CCPA) will go into effect, giving consumers in the state expansive new powers over their data. While the new law isn’t entirely nailed down, experts say it will present an opportunity for companies to either ride the rising data privacy tide, or be swamped by the new data regulation.
In many ways, CCPA is modeled after the General Data Protection Regulation (GDPR), the European Union’s data privacy law that went into effect in May 2018. Both laws are geared toward giving consumers new control over how their personal data is collected and used, backed by the threat of fines for non-compliance (4% of revenues for GDPR, $750 per incident for CCPA). And while CCPA doesn’t include the so-called “Right to be Forgotten,” it does give consumers the “Do Not Sell My Personal Information” option.
Like GDPR, CCPA restricts its sphere of influence to a specific set of people: California residents, versus EU residents for GDPR. However, just as GDPR had a global impact, CCPA also is expected to impact companies around the world, owing to California’s position as the fifth largest economy in the world. To read more about the similarities and differences of the two data laws, check out this informative article published by the Future of Privacy Forum.
“CCPA is actually evolving to be quite similar” to GDPR, says David Gorbet, senior vice president of engineering for MarkLogic, which develops a multi-model database that has been used for GDPR remediation. “When it first came out, it was pretty general…But overall it looks to me like it’s been quite heavily informed by GDPR.”
One of the most important features of CCPA is the requirement for businesses to collect the consent of users before gathering and processing personal information. The new California law also requires companies to be allow consumers’ to access, view, and take their data with them, if they like.
To comply with such requirements, companies must know where all that data is. Experts advise companies to conduct internal audits to ascertain where all their data resides and how it’s used. Data exploration tools and data catalogs are likely to be well-used tools for complying with these requirements.
In addition to internal data usage, CCPA also governs what companies can do with consumers’ data outside their four walls. The CCPA law (at least as it’s currently written) doesn’t apply to companies that have less than $25 million in annual revenue, unless their main business is buying and selling data.
This brings a new level of legal jeopardy to the data game, according to Gorbet. “There are some provisions around, if you acquire data from someone else, before you can use it, making sure that you have consent,” he tells Datanami. “Even if you don’t collect the data, you’re still on the hook for the use of that data.”
Data Rules and Regs
Complying with CCPA won’t come without costs. Lawyers will get a piece of the pie, as will the system integrators who build new systems for automating various aspects of the new law. It’s been estimate that compliance with CCPA will cost California companies $55 billion, or nearly 2% of the state’s total yearly revenue.
Companies will need to build or buy systems that can help them accomplish a range of tasks for CCPA compliance, including:
- Tracking data usage and consent across many disparate systems;
- Responding to customer requests in a timely manner, including “Do Not Sell My Information” requests;
- Complying with de-identification requirements for personal information;
- Handling a data breach, including working with auditor, regulators, insurance providers, consumers, and employees.
During the run-up to GDPR, MarkLogic moved to position its database as a data hub for gathering consents and tracking how personal data is being used within an organization, and it’s doing the same with CCPA. Several of MarkLogic’s European customers spoke about how they’re using the database for GDPR compliance during a company event held this June in Paris.
Airbus’ human resources department, for instance, is using MarkLogic to power a self-service user interface that allows employees to access information. According to Gorbet, it’s not just about automating the governance, but automating requests for new uses of the data.
“They’ve attached metadata to their employee model to understand what’s the sensitivity of each property of an employee, not alone but in combination,” he says. “If I want to request the birthdate of every Airbus employee, that may not be sensitive on its own. But if I requested it along with the customer name, that may be extremely sensitive.”
Thanks to GDPR, companies in the EU have been forced to consider the ramifications of poor data governance. Now with CCPA, companies in California and across the United States are about to get a taste of what poor data governance can mean.
Tax or Opportunity?
According to Gorbet, CCPA is presenting companies with a choice in how they think about data. They can either get on board with the data governance trend and treat data as a precious asset. Or they can continue with business as usual, and do the bare minimum to comply with the law.
“If you think about this [CCPA] as a tax, then you think about ‘Let’s do the minimum required to comply. But if you think about it as a business opportunity, you think about how can we have a closer relationship with our customer and how can we give customers capabilities that our competitors aren’t giving them?” he says.
The Wild West days of big data are numbered. Companies might be able to dodge CCPA, but the odds are good that more data regulations are coming down the pike. Numerous states are working to pass their own data regulations, and eventually there will be a federal law to unify them, according to Gorbet.
There’s no doubt that this will slow down some big data projects, particularly as it relates to machine learning (a topic we will explore in a future issue of Datanami). But there is a silver lining to this regulatory surge, it’s that companies that play by the rules will be rewarded by consumers.
Building that centralized logging system that tracks permissions and consent will give compaines better insight into their customers. “Building a view of the customer that allows you to serve the customers better simultaneously give you a much better value prop for your customer, and it also makes it easier to comply with these types of regulations,” Gorbet says.
And as far as data mobility, give it to customers because it’s the right thing to do, Gorbet says. “It’s a question of how do you want to be sticky? Do you want to be sticky because you’re the best, or do you want to be sticky because people can’t move off you when they want?” he says. “Good companies want to be sticky because they’re the best.”