Scheduled to go into effect, January 1, 2020, the California Consumer Privacy Act (CCPA) promises to be the most robust consumer data protection law the United States has ever seen.
This far-reaching, groundbreaking legislation has the potential to affect nearly every for-profit business, regardless of where they are located.
CCPA: What you need to know
Data breaches have become an all-too-frequent occurrence, and the cost of these breaches to companies and consumers continues to skyrocket. In fact, a recent study conducted by the Ponemon Institute discovered that the average cost of a data breach has increased by 12% in just the past five years. What’s even more concerning is that at $8.19 million, the average cost of a data breach in the U.S. is more than double the global average. For consumers and businesses alike, data protection and privacy laws can’t happen fast enough.
From a consumer perspective, the CCPA provides California residents with the following rights:
- To know what personal information is being collected about them
- To know whether their personal information is being sold or disclosed and to whom
- To say no to the sale of their personal information
- To access their personal information
- To receive equal service and prices, even if they exercise their right to opt out
To avoid penalties you need to know, without a shadow of a doubt, if you’re on the hook to comply.
Do you do business or have customers in the Golden State? If the answer to this question is yes and you meet one or more of the following, you will need to comply:
- Your annual gross revenue exceeds $25 million
- You buy, receive, sell, or share personal information of 50,000 or more consumers, households, or devices per year
- You earn more than half of your annual revenue from selling consumers’ personal information
As changes to the regulation continue to take place, it’s crucial for companies to stay on top of requirements whether they currently meet CCPA compliance guidelines or not. Take, for instance, proposed requirements that include:
- Disclosure requirements for organizations that collect personal information from more than 4 million consumers
- Acknowledgement of consumer requests within 10 days
- Honor “Do Not Sell” requests within 15 days, and inform third parties that received the information within 90 days
- Obtain consumer consent to use their personal information for a purpose not disclosed when the data was collected
Still not sure if you need to comply? As there is some debate about whom the CCPA applies to, when in doubt, compliance will always be your best option. Will you be ready?
Time is running out—or is it?
With the deadline looming, many businesses are nowhere near ready. A study conducted by Ethyca determined that only 12% of companies have achieved an “adequate state of compliance.” To meet compliance standards, nearly 38% of respondents reported that they will need another 12 months. This is further complicated by the fact that 75% still rely on manual processes. What does this mean for organizations? I spoke with three experts across various industries to get their insights.
With much uncertainty surrounding the CCPA and not enough detail, the rubber stamp of compliance that many organizations desire is impossible. “Compliance isn’t a ‘state’—companies will be riding the wave of going in and out of compliance all the time,” says Mike Vanderbilt, a cyber security expert at Baker Tilly. “It’s not a one-and-done project.” Even if companies are just beginning their CCPA compliance journey, there are many tools that they can leverage to get their data-privacy program underway.
One of the first compliance steps a company should take is to add an “opt out” policy on their website. This measure puts the organization in compliance with some CCPA mandates and sets the tone for their data-privacy program. But, building the program and putting it into effect takes resources, both human and technological, resources that some companies may not have readily available. “Some businesses may need new technology,” says Elizabeth Gallagher, CRO at Lineate. “Depending on how clean and organized their data is, they may need to onboard developers or consultants to make it easier to comply with consumer requests.”
When it comes to technology, what will yield the best results and where should businesses start? “Companies should add automation into the equation such as case management, digital-process automation, and real-time interaction management,” says Tom Harrington, Global Industry Market Leader-Insurance at Pegasystems. “Digital-process automation should be the starting point, as it mostly takes the human element and possibility of human error out of the process.”
To ensure compliance and mitigate risks, companies need to understand the types of requests they are receiving from consumers. “Let’s say a certain request makes up 95% of the total requests,” says Harrington. “This means that technology is needed to automate the resolution of this type of data request.”
By knowing what is needed for California requests, businesses will be in a better position to respond as more states put data-privacy laws into effect. For instance, they can use the automation done for California and adjust it to meet individual state deviations. In the longer term, businesses will need to identify potential operational issues that could result in exposure, and implement technology that can help pre-empt data events.
CCPA opens the door to new opportunities
The impact of the CCPA will be widespread and will force a positive change in how businesses market and advertise their products and services. “Providing personal experiences relies on consumers ‘opting in’ to have their data collected,” says Gallagher. “By simply informing the consumer that you want to use their data to better meet their needs, businesses will initiate a positive dialog. And this is key when trying to build a positive rapport.”
With the pressure that the CCPA is putting on how data is gathered, businesses will need to think outside of the box to target consumers and provide personalized experiences. “Because of the spotlight on consumer rights, a new kind of data collection is making an entrance: zero party data,” says Gallagher. “This is when a consumer volunteers their data for a reward. For instance, a business may ask a consumer for their birthday and favorite holiday destination in exchange for loyalty points that can be redeemed for digital rewards.”
The CCPA will change the dynamics of how data is collected; over time we can expect other innovative methods of gathering data to become commonplace. However, marketing and online advertising aren’t the only areas that will benefit from the CCPA.
Organizations need to approach the CCPA as an opportunity to refresh compliance policies and take a hard look at the processes and procedures they currently have in place. Says Vanderbilt: “This is a wonderful opportunity for companies to look at what they are doing, how they are processing data, and be more transparent.” For example, when a data breach occurs, how often do vendors of an organization actually inform the company? “Businesses shouldn’t look at the CCPA as the mess in their basement that they don’t want to clean up,” he advises. “Now is the time for spring cleaning.”
The experts I spoke with agree that the CCPA is just the start of a nationwide phenomenon that will change the way data is collected, shared, and handled moving forward. By ending the data abuse that was sparked by the data explosion, organizations now have the opportunity to proactively reach out to consumers, promote their compliance, and actively show that they are treating consumer data will respect. And all of this will go a long way in promoting a positive brand awareness for the companies that do it well.