Beer + Data = CCPA Compliance for New Belgium
When the California Consumer Privacy Act was approved by voters in November 2018, it didn’t just impact companies in the Golden State–it impacted any company doing business with California residents. That includes New Belgium Brewery, which built an automated solution to comply with the data privacy law.
According to Tye Eyden, a New Belgium IT business analyst, the company began working on its compliance project in the middle of 2019 to prepare for CCPA becoming law on January 1, 2020. While the law wasn’t enforced until July 1, 2020, the company, which brews beer in Fort Collins, Colo., and Asheville, N.C., didn’t want to take any chances.
“We like to be ahead of the game as much as possible,” Eyden says. “Sometimes the simplest solution is not the best solution.”
The company faced uncertainty regarding the volume of CCPA requests it would face. Under CCPA, companies must make it easy for customers to opt out of data collection, and to demand that companies do not sell their information.
“The challenge was that we did not know if we would have one request or thousands every day, week, or month,” Eyden says. “The business might think we could just get away with using email and handling all the requests manually.”
The possibility that other states would follow California with data privacy laws of their own also weighed in New Belgium’s decision-making. “We also thought more states might start implementing similar acts,” Eyden tells Datanami via email. “I wanted to be prepared from all perspectives, just in case.”
On Tuesday, the governor of Virginia signed the Consumer Data Protection Act (CDPA) into law. The New York Privacy Act, which was introduced in January, is expected to be voted on in that state’s legislature. (New York in 2019 passed the SHIELD Act, but the new law would go further.)
New Belgium’s IT department and legal team worked together to come up with a solution. It turned out that a previous investment in workflow automation software from Nintex could be leveraged for the new CCPA project.
“Once we knew enough about CCPA requirements, we started to explore possible solutions,” Eyden says. “Thankfully, I was part of this team and knew we could leverage Nintex.”
New Belgium’s CCPA compliance project touches multiple departments, including marketing, sales, environment health and risk, HR, and corporate sustainability. According to Nintex, New Belgium’s CCPA process kicks off when a California resident inquires about what data about them the company possesses. That information is collected in a Nintex form running in the cloud.
Here’s what happens next in the CCPA remediation workflow, per the writeup on Nintex’s website:
“Once submitted, the data is stored in SharePoint Online and a workflow routes the request to each department. Each department identifies the consumer’s information in their database and forwards their responses. The consumer is then sent an email that lists the stored information and gives them the option to request its deletion. Once they reply, the workflow routes their request back for each department to take the appropriate action and once completed, a confirmation email is sent. All these steps are captured by Nintex, stored in SharePoint, and are immediately available in case of audit.”
The solution helps protect New Belgium against fines ranging from $2,500 to $7,500 per data violation. What’s more, thanks to California voters in November 2020 approving a new law called the California Privacy Rights Act (CPRA) to replace the CCPA, companies like New Belgium no longer have the option to “cure” the violation.
That means those fines are more or less locked in, according to Camden Hillas, Nintex’s associate general counsel. “Companies have to get it right the first time or be subject to a civil penalty,” she says.
There are other distinction between the CPRA and the CCPA that impact companies like New Belgium, Hillas explains. For one, the CPRA “expanded consumers’ rights to opt out beyond the CCPA’s right to opt out of selling and/or disclosing of personal information to encompass the right to opt out of automated decision-making technology, including ‘profiling’ and the sharing of information used for cross-context behavioral advertising,” she explains.
The CPRA also adds the right for consumers to receive a correction for erroneous data, as well as the right to receive a confirmation that the change was made. In any event, both the CCPA and the CPRA (which replaces the CCPA when it goes into effect on January 1, 2023), require all of these data management activities to be easy for consumers to access and to be fully audited. That’s why process automation is such a powerful thing, Hillas says.
“In order to have a repeatable, easily accessible, auditable process, companies must leverage automation technology to help map out a process and to automate that process,” she says. “Otherwise, the burden on existing staff will be significant, and the risk of human error is high.”
The net effect for New Belgium is that it can concentrate more on what it does best: brewing really, really good beer.