Coming to Grips with CCPA
By now you’re aware the California Consumer Privacy Act (CCPA) has bestowed upon residents of the state certain unalienable rights regarding their personal information. While heralded as progress for consumers, these rights bring new risks to the companies that are collecting data about California residents. Since few companies are likely to give up on the data game, that means complying with CCPA has become a priority.
The CCPA imposes certain new requirements upon organizations that fall into one of three buckets: They have annual revenues of $25 million or more; they buy or sell the personal information of 50,000 or more California consumers (or devices or households); or they derive 50% or more of their revenue from selling the personally identifiable (PI) data of California residents.
CCPA gives California residents the right to receive information about the data these organizations, whether profit-seekers or non-profit organizations, are collecting about them. Specifically, the law gives them the right to be informed what personal data is being collected; whether it’s being sold; to say no to the sale of the data; to request that the data be deleted, and to not be discriminated against for exercising their new data rights.
The law states that a report containing the information about a consumer’s PI data must be provided free of charge, and within 45 days, which means the first CCPA requests filed in early January are beginning to come due. That might sound like a lot of time. But considering the number of residents projected to submit data requests, and the wide array of applications and repositories that organizations use to store PI data, many organizations will likely struggle to deliver the information on time.
There are a few things organizations can do to prepare for the influx of CCPA data requests and survive the CCPA era. According to the law firm Jackson Lewis P.C., the first step is to assign somebody or a team to “own” the process and to respond to the requests. These folks will be responsible for responding to the CCPA requests coming in through email, websites, phone numbers, or other avenues of communication that the organization supports.
The most important step to CCPA compliance is for organizations to create clear processes and procedures that lay out all of the steps required to respond the requests. A key element of this step, the law firm states, is to ensure that a request is valid. The CCPA requires organizations to employ “reasonable methods” to ascertain identities. Organizations should take time to instill rigor in this authentication step, as there are already several horror stories about data breaches that have occurred as a result of people impersonating others to receive their highly detailed PI data.
Jackson Lewis also recommends that the organization ensure that any data shared is sufficiently protected, and that requests for erasure are followed through. Even if the residents’ data is deleted, the law states that organizations must maintain a record of the data request for at least 24 months.
Figuring out where the data is held is the goal of the “data mapping” stage of CCPA preparation, which could be the most difficult and time-consuming stage of the CCPA remediation process. Depending on the complexity of an organization, the company may choose to use technology that can automatically find records associated with individuals across a wide range of systems (we have covered CCPA compliance solutions in these page). Third-party service firms are also popping up to comply with CCPA requests. Alternatively, an organization can choose to handle CCPA requests manually.
Finally, organizations must train their employees to be competent providers of the CCPA process. Organizations should periodically audit their CCPA compliance system to ensure that their system is working as intended, Jackson Lewis P.C says.
Some organizations are further ahead with their data governance programs in general, and with their CCPA remediation plans in specific. According to a recent study of security leaders by Scale Venture Partners 97% of executives say their organization has made changes in response to CCPA and the General Data Protection Regulation (GDPR), a similar law that covers private data of European Union residents that went into effect in 2018.
The survey from Scale Venture (which has investments in BigID), 75% of respondents “feel their company is equipped to handle data privacy compliance, while 46% worry about getting fined for non-compliance. With fines for violating CCPA reaching up to $7,500 per consumer violation, there’s a real potential to hurt organizations in the pocketbook.
Executives are unsure exactly how best to comply with CCPA. According to the Scale Venture survey, 37% of executives cited “the need to understand which data is being collected on consumers” as a chief concern, followed by “the need to devise an easy way to comply with consumer requests,” which was cited by 35% of executives.
We’re not even two months into the CCPA era, and enforcement of the new law hasn’t yet started. July 1 is the date that most expect the California Attorney General to start ramping up enforcement, so there’s still time to enact a plan. Unfortunately, the language of the CCPA is still being hashed out, so the exact law is still up in the air a bit. Earlier this month, the California Attorney General issued updated proposed legislation. Most of the changes are minor, but they will impact certain industries, including the collections industry.
There is a cost associated with compliance, and CCPA compliance is no difference. Many have argued that the side benefits of creating the sort of data governance program that goes along with CCPA compliance more than outweigh the costs. When consumers trust that a company is doing the right thing with their data, the thinking goes, they are more likely to do business with a company, or expand their dealings with that company. Similarly, companies that abuse PI data are opening themselves up to retributions from consumers.
We’re still weening ourselves off the Wild West stage of big data, but there are organizations that will do the absolute minimum to comply with the law. What’s more, there are some firms that are actively looking for loopholes that will allow them to violate the precepts of CCPA but without facing fines. Facebook, for example, has argued that it qualifies for a CCPA exemption, and other companies are looking for a way out.
In the long run, the smart executive would likely be better off figuring out how to comply with the CCPA. Better yet, tech executives and Chief Data Officers should be working to create data governance projects in their own organizations. That way, the organizations can not only comply with CCPA, but the next data regulation too, because if one thing is certain, CCPA won’t be the last.