The California Consumer Privacy Act (CCPA) is legislation that was passed in June 2018, on the heels of the European Union's General Data Protection Regulation (GDPR) enactment in May 2018. The original CCPA bill was passed quickly to forestall a ballot initiative, but the legislation has since been amended and it is likely to be altered further. Recent amendments in September 2018 included two key timeline adjustments, giving a bit of breathing room for companies and legislators alike:
- The bill extends by six months the deadline for the California Attorney General (AG) to draft and adopt the law’s implementing regulations, from January 1, 2020, to July 1, 2020;
- The bill extends the AG’s ability to bring enforcement actions under the CCPA until six months after publication of the implementing regulations or July 1, 2020, whichever comes first.
Regardless of the ongoing debate, it would be wise for companies to plan for the core requirements of CCPA, as the overall intention of consumer privacy and consumer data rights will remain largely unchanged. And for many organizations, adhering to these guidelines will require significant investment into data governance (DG) and master data management (MDM) capabilities. For example:
Related Data Governance Capabilities
Required Technical Function
Informing the consumer what personal information of theirs is collected
Mature Customer MDM and Data Quality (DQ)
Automation of responses to consumer requests
Informing the consumer if their personal data is to be sold or disclosed, and to whom
Traceability to third-parties over time (previous 12 month reporting)
Ability to handle new third-parties and notification
Providing the consumer the right to block the sale of personal data
Opt out every 12 months
Specific web page and phone functionally
Providing access to the consumer to all personal data; and
[Similar to 1] Mature Customer MDM and DQ
Automation of responses to consumer request
Ability to gather accurate data
Allowing consumers the ability to request deletion of their personal data
Ability to track location of PI and process for deleting / archiving
Ability to propagate deletion request to underlying transactional systems
Allowing the consumer to retain equal service and pricing in the event the consumer blocks the sale of their data.
No specific requirement other than tracking status
There will be complexities in providing equal service when features are provided by third parties with whom the data cannot be shared (e.g. Verified by Visa, captcha)
Metrics and event tracking
Reporting and analytics
Why should I care about CCPA?
Penalties for non-compliance are significant, and potentially crippling if systemic issues exist that portend to widespread issues. Penalties can include fines of up to $7,500 per violation, plus a payout to California residents of up to $750 per incident of actual damages, whichever is greater. In isolation, these penalties are negligible. But every unauthorized sale of consumer data will cost companies $750,000 per batches of 1,000 customers.
What to do now? Evaluate. Remediate. Accelerate.
CCPA doesn't go into effect until January 2020; however, we learned with GDPR that less than one year provides very little time to analyze and act. Point B recommends the following approach to be effective in this short window:
Before jumping in to address any known compliance or security gaps, it’s important to get a lay of the land. Data management, security management, and business processes can be complex and lead to hidden issues and gaps.
First, understand what data your company possesses. "Personal Information" is broadly defined by CCPA, so you should be liberal in your definition of "personal data" including all potential identifiers, including standard personally identifiable information (PII) data, biometric data, geolocation data, browsing history, employment information, etc....
Second, it is critical to understand how this data is mapped across your enterprise. Where is the data stored? Where is the data passed? Who has access to the data? What data can be de-identified? Understanding both the existence of the data and its controls are important for the organization to fully comprehend.
Your evaluation will likely yield several practices that should be addressed, but given the short timeline before CCPA is enforced, it’s important for organization's to take a risk-based approach to closing identified gaps.
Additionally, in all cases (especially when time is a constraint) leverage Cyber Security best practices that exist in lieu of building your own control frameworks. We have advocated that our clients use the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) and Center for Internet Security’s Critical Security Controls (CIS CSC) as good frameworks to reference when addressing GDPR compliance issues and those same frameworks will apply for CCPA.
The care, concern and public expectations for data privacy and protection are only growing. High-profile data breaches and controversial use of data by reputable companies have raised the profile of this issue. GDPR going live in May 2018 and CCPA being announced shortly after in June 2018 has shown us that regulators care too.
The need for organizations to be prepared for this type of governance is just starting and those who constantly operate in the "reactive" mode will eventually be overwhelmed. Once CCPA remediation is solved, organizations must set their vision forward and refine their data management strategies to be proactive for future legislation and remain compliant with CCPA and GDPR standards.
Organizations can accomplish this by finally addressing data governance challenges that many still face today. These changes, or enhancements, are often logged into a product backlog, fixed with manual, "band aid" type solutions, with the root causes never really being addressed. Why? Data governance is hard and many organizations fail to deliver these initiatives. This should not be an acceptable answer, however, the need for mature and scalable data management practices is required to both accelerate business goals and mitigate risk exposure.
So can organizations achieve success with the data governance initiatives?
Point B has developed a Data Governance QuickStart methodology to help our clients start small, set the foundation, achieve incremental success and scale over time.
Addressing a compliance initiative like CCPA could include the following list of remediation activities, Data Governance QuickStart can help identify and prioritize your organization’s required building blocks,
- Changes to applications to handle consent (opt-in/opt-out), this may be the most complex change due to the sheer number of applications, complex data exchange and integration landscape.
- Centralized data management platform to handle:
- Opt-in/opt-out management, capability to maintain customer preferences in one central place that can be used as a source to propagate to other applications.
- Store, maintain and manage uniquely identified customers (golden record).
- Metadata management solution for data classification, data lineage, data definition and stewardship.
- Centralized data retention rules engine to handle data anonymization
These may look daunting – and it is. The key is to start small with what's necessary to address immediate CCPA needs while simultaneously building the foundation to scale over time to seamlessly handle more GDPRs or CCPAs.
Get started. Take the initiative to understand CCPA and its effects in greater detail. Evaluate your organization’s position and identify valid gaps. Remediate any issues using a risk-based approach to ensure your greatest areas of exposure are addressed first. Finally, accelerate the maturity of your data management practices to become proactive in your data strategies. Feeling lost? Our team of Data Management and Cyber Security experts can help you get there.