Just a couple of months have passed since the new year and we’ve already begun to see companies, such as Lyft, fail to disclose what data they’re collecting on their customers–resulting in noncompliance with the California Consumer Privacy Act (CCPA) that went effect on January 1.
The new state law comes hot on the heels of similar consumer data regulations in Europe, implemented in 2018 via the General Data Protection Regulation (GDPR), and additional regulations are sure to be levied this year in 2020. While true CCPA enforcement does not go into effect for a few more months, how can we expect other companies–especially smaller enterprises–to be regulation-compliant when more than $144 million in GDPR fines have been dished out and European companies had 3x times the amount of time to prepare?
Understanding CCPA and Consumer Data Regulations
The modern consumer data regulation trend was kicked off by the EU’s GDPR that went into effect in May 2018. Soon after GDPR’s implementation, the CCPA was signed into law in June 2018. Data protection and data governance laws are additive, so old standards like Sarbanes-Oxley and PCI DSS also still apply for most organizations in addition to CCPA.
Similar to GDPR, CCPA expands personal data protection for today’s increasingly connected world, including the right to be forgotten, a right to portability, and a right to access to data. What exactly does all that mean?
Right to Be Forgotten
Also referred to as the “right to erasure” or “right to deletion,” the right’s origins date back to before even GDPR. Essentially, the right to be forgotten grants individual consumers the right to request that any of their personal information that was collected or stored by a particular organization be deleted. Not only that, but organizations affected by CCPA must notify their customers and consumers of this newly enforced right in a “form that is reasonably accessible.”
Due to the vast amount of consumer data that is widely collected by many California-based enterprises and may be scattered across dozens of applications and databases, the “right to be forgotten” aspect of CCPA compliance will be particularly difficult to achieve for many enterprises. In addition, with fines of up to $7,500 per consumer record, the total cost of non-compliance adds up very quickly when hundreds or even thousands of consumers’ data has been collected.
Right to Portability
Put simply, this grants consumers the right to take their personal data that an organization has collected and moved it to another service, database or organization. This not only helps consumers to better understand where their data is being stored but also promotes competition within the industry by granting smaller, newer companies – who may ultimately have a better product or service than their larger, more established counterparts – access to consumer data that they otherwise would not be able to take advantage of.
Say a new streaming service with a far superior platform to Netflix comes along and users are flocking to subscribe to this new streaming service. The users can request that their personal data, collected by Netflix, be transferred to this new service provider – allowing the new streaming service to access and act on years of their users’ personal data. Effectively meaning that Netflix can’t hoard user data, which is ultimately owned by the user – not the company, as a means of disadvantaging superior service providers.
Many organizations are complying with this aspect of CCPA by offering users the opportunity to download their personal data in a machine-readable format.
Right to Access
The right to access data allows consumers to submit an access request for their personal data to find out exactly what information is being stored and used by an organization. Not only is the organization obligated to collect and present all the user’s personal data, but also to identify any third-party organizations that have bought or accessed the data.
Complying with CCPA
Even some of the world’s largest companies–including Google, Vodafone, Raiffeisen Bank, and many others – are still struggling to maintain GDPR compliance nearly two years after the regulation’s implementation. We can expect much the same from CCPA given the expanded rights of the consumer-outlined in the California mandate. That said, organizations will have a much easier time complying with CCPA if they heed the advice below.
Due to the nature of CCPA, regulation compliance involves consideration and manipulation of a host of internal and external contributing factors.
In order to comply with CCPA, corporate data governance and internal standards must be outlined and up to par with the regulation’s mandates. Unfortunately, weaknesses in corporate data governance, leading to breaches or lawsuits, are constantly in the news. Many organizations are also shifting their databases to embrace the cloud or hybrid-cloud systems, which typically come with additional compliance requirements (such as SSAE18, ISO27001, etc.) that include data governance standards – so, the business’ database strategy itself is a factor.
That said, the biggest internal challenge when it comes to CCPA compliance is to create a data-driven culture by shifting the emotional center of gravity of an organization – its mission and purpose – from “whatever it is we traditionally think we do” to “the data about what we think we do and for whom we do it”. The next step is to drive a data-centric protocol to create a culture that protects consumer data like gold.
In order to create a data-driven culture within an organization, each department must take ownership of the consumer data they collect and analyze then organize and safely store that data in a way that makes it easily accessible by the IT or data team responsible for handling actionable consumer requests for their personal information.
There are several related and overlapping concepts that apply to consumer data regulations: data protection, data governance, data encryption, data security, data integration, data classification.
Much of the external regulatory framework is specific to data classification—personally identifiable information (PII), protected health information (PHI) and so on. Yet the data itself is becoming less and less structured (compare social media feeds with database extracts, for example).
As a result, the biggest challenge from outside of an organization is classifying data as it is collected and cleaned. AI/ML tools are sure to be part of the solution when it comes to classifying massive amounts of collected data.
What to Expect From Future State Data Regulations and How to Prepare
In addition to CCPA, we can expect a host of other regulations to likely come down the track in 2020 and beyond.
Unless there is a consistency of approach between states, it will become more and more difficult for companies to comply with all the different policies out there. There is a careful balance to be struct between protecting the privacy of individuals and making it impossible to do business, and state data regulations should not be so strict that they interfere with previously mandated standards.
The CCPA appears to have achieved this balance, and the California state legislature is regularly amending and updating requirements to meet the needs of both consumers and businesses. For example, information that is required to comply with other legal obligations or applicable laws are not subject to the “right to be forgotten” aspect of CCPA.
GDPR already raised the bar on data privacy standards, increasing emphasis on respecting individual rights by giving back control of personal and sensitive information, and enforcing heavy financial penalties for businesses that fail to do so. Future state regulations will inevitably set a higher bar – CCPA, for example, gives Californians unprecedented access to their data, while still making it possible for for-profit companies to collect and sell consumer data within established guidelines.
Many organizations have spent a lot of time and effort figuring out how regulations like CCPA and GDPR impact them and putting in place the right systems and controls to ensure compliance. Any future regulations that are to go into effect will likely have a buffer/compliance period of around one year, but that doesn’t mean that organizations shouldn’t begin preparing for potential regulations as soon as possible – even before new regulations are announced.
Now is the time for organizations and businesses, regardless of location or state of incorporation, to begin establishing the frameworks and protocols that will aid in data regulation compliance. A simple method of understanding the flows of data into and out of any organization is to embrace an “ecosystem integration” strategy by implementing a platform that facilitates the monitoring and control of data transitions and messaging between various applications and partners within an organization’s ecosystem.
Once an organization understands the internal and external flows of its consumers’ data it can better grasp what must be done to comply with various data regulations and even offer itself as a resource to governments and regulatory agencies that are in the process of drafting their own data regulations. By collaborating with regulators, organizations can help to create mandates that will not only serve consumers’ best interests but also avoid preventing businesses from using consumer data in an ethical manner.
Read more: Let’s Test Your CCPA Preparedness!