The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, and enforcement started in July. As more states adopt similar laws, there are two major hurdles to get through: technology and processes. In this blog, you’ll learn more about how the CCPA came to be and what your business needs to look for when becoming compliant.
Have you ever been with a loved one in the kitchen making dinner, having a conversation about something like traveling to Grand Cayman, and shortly thereafter, you start getting ads directly related to Grand Cayman and travel?
“Universal Consciousness?” I don’t think it works like that, but it gets you thinking. How did that company get my information? What information does that company have on me? Do they share it with other organizations to send me more marketing materials? How can I get them to delete my data and leave me alone?
Here Comes the CCPA
According to Alastair Mactaggart, one of the California Consumer Privacy Act (CCPA) initiators and an unlikely privacy activist, we should be worried. He spoke to a friend who works for Google over wine and pizza and jokingly asked if he should be concerned about what Google knows about him. According to the New York Times, his friend noted that people should be worried. “If people really knew what we had on them, they would flip out,” the engineer said. Mactaggart decided he should be the person to do something about it.
After passing in the California Senate, Governor Jerry Brown signed the CCPA into law on June 28, 2018, and it became effective on January 1, 2020, with enforcement beginning in July. The act intended to provide California residents the right to:
- Know what personal information companies collect about them
- Know if companies sell or disclose their personal information and to whom
- Request not to have their personal data sold
- Have access to their personal data
- Request a business delete the personal data collected on them
- Not be discriminated against for exercising their privacy rights
The CCPA is the first single comprehensive law regulating the collection and use of personal data in the United States. California was the first state to roll out such a privacy law, and it’s even recently created a “CCPA 2.0” — the California Privacy Rights Act, which will be on ballots as Proposition 24 this fall. Eighteen other states had proposed consumer privacy bills in 2020, including New York, Illinois, Maryland and Washington, to name a few.
The law specifically applies to for-profit entities doing business in CA that collects, shares or sells CA consumers’ personal data and has gross revenues greater than $25M. However, companies such as Microsoft are complying with the law nationwide.
With other states likely progressing forward with the same type of law, no matter where your company is, you’ll likely have to keep an eye out for similar regulation, and it wouldn’t hurt to get started now.
Complying With the CCPA
So, how does your company comply with the CCPA or any similar laws that might pop up in your state? It’s not easy with all the various technology systems, data shares with vendors, joint marketing relationships, acquisitions, and more. It was a lesson we learned as we worked with a large financial services company that started talking about compliance a year in advance. They did some high-level planning but kept talking without much concrete action.
Five months before the January 1 compliance date, they brought us in to jump-start the process. We broke the project into eight separate workstreams. Then, we mapped out the current state processes, defined a desired future state and identified gaps to get to the finish line. There were two primary hurdles to get through:
To ensure your technology complies with CCPA, you must be able to find all the data you have on an individual in all your systems and be able to report it out to the requesting individual. This process can be a challenge if there are multiple, disparate systems. Finding out who you share data with may unlock a few surprises. We found it interesting that the current employees didn’t know about the data feeds the previous vendor’s management employees set up.
You need the right processes in place to handle any surprises that might happen so your company can remain compliant. To do that with our client, we had to map all the “what-if” scenarios from the request and fulfillment sides and make sure the technology side aligned with the desired future state processes.
California was the first state to enact a consumer privacy law, and many more states will soon follow. Compliance requires the organization of a cross-functional project team to address:
- IT systems databases
- Vendor relations
- Human resources
- Intake and fulfillment.
Your organization must:
- Plan well in advance.
- Give yourself sufficient time.
- Investigate where your data is stored.
- Establish intake and fulfillment processes.
- Call in an expert if you need help to comply.
While compliance can be a long road, it doesn’t have to be a difficult one as long as you are prepared to make the necessary changes. As data and privacy laws become more robust to protect consumers and companies alike, that preparation will be key to your company’s future.