California voters had enough of seeing their data carelessly handled in a string of high-profile breaches. They spoke loudly, and in 2018 lawmakers passed the California Consumer Privacy Act (CCPA), a data privacy law based on Europe’s General Data Protection Regulation (GDPR) with stiff per-person/per-violation penalties.
The CCPA is set to go into effect on January 1, 2020, and applies to approximately 500,000 companies doing business with residents in the state of California, regardless of where the companies are located.
The law compels companies to carefully govern the handling of personal information such as name, address, locations, Social Security number, financials or a broad range of information that can reasonably be associated with an individual.
It gives users the right to know what information is being collected, the right to request the deletion of their information, and the right to opt out of services and prevent the selling of their information. Under the law, companies are subject to fines of up to $7,500 for each violation and are subject to potential class-action lawsuits by private citizens.
Internet giants should be deeply concerned about the law because, as TechCrunch points out, it places them under the microscope for collecting “an increasingly alarming amount of data on their users.” This alone has given lawmakers plenty of reasons to introduce protections.
In response, big tech companies, among others, are currently lobbying to change the law or have a federal law supersede it. But it’s not only these tech giants that must abide by the law. Every business, from insurance companies to fitness centers, must abide by the CCPA if they have customers in California, and many of them will gladly do what’s necessary to protect their customers.
CCPA follows in the spirit of GDPR, which went into effect in May 2018 and not only applies to any business that operates in the European Union, but also any company outside of the EU that offers goods or services to customers or businesses in the EU. Similar to CCPA, GDPR seeks to make sure companies inform their users on how their personal information is used and grants them the right to opt out of services and the right to be forgotten.
The law also seeks to ensure that information is gathered in a legal manner and protected from misuse. This even includes personal data stolen following leaks and breaches from malicious actors. In those circumstances, companies must inform affected individuals whose information has been leaked or stolen directly within 72 hours of learning about a breach.
Whether companies like it or not, keeping users’ information safe and accessible is no longer a nice-to-have feature; it’s a cost of doing business. Companies that don’t comply with these laws not only risk government fines and lawsuits, but damage to their reputations, as well.
Why Companies Are Unprepared To Deal With Privacy
Unfortunately, most of the industry relies on manual methods that are costly, error-prone and inefficient. They’re a drain on employee time and aren’t even guaranteed to work because of how user data is often siloed across myriad departments. Such solutions are typically based on manual surveys, manual data mapping and assessments that reflect snapshots in time of people’s opinions about data. Often, such surveys do not reflect the reality of the ever-changing data landscape inside a company.
For most businesses, a likely scenario would play out like this: An internet consumer requests that a company deletes their data. Employees at the company send emails about the request, creating a long records trail. Multiple departments, from legal to IT, get involved, and data about this individual is manually sought out and marked for deletion or sharing.
Under this system, each request would create time-consuming tasks, and companies would have no guarantee that all of an individual’s data had actually been found and removed. This is an outdated practice that is no match for the new requirements.
Preparing For The CCPA
In general, organizations need to achieve the following in preparing for the CCPA:
• Understand your data.
• Implement compliance mechanisms.
• Honor consumer rights.
In order to efficiently achieve these goals, organizations are exploring new approaches to operationalize privacy compliance that leverage granular data intelligence and automated orchestration.
Much as DevOps has revolutionized the way software is developed, cutting annual development cycles to a matter of weeks, PrivacyOps promises similar innovation for privacy compliance.
This new approach harnesses machine learning and automated bots to greatly reduce the labor and effort required to identify all of the personal data in their systems — and their partners’ systems — and properly map that back to an individual identity. By crawling data stores from marketing, sales, IT and other departments in real time, organizations always have accurate information available to quickly respond to compliance requests.
Implementing Compliance Mechanisms
Additionally, organizations are looking for solutions that provide secure collaboration and automation of compliance requirements, such as data subject requests, third-party assessments, consent management and breach notifications. Ad hoc emails between multiple stakeholders in various organizational silos are not only inefficient, but can also exacerbate the problem of personal data sprawl. Instead, organizations are looking for solutions that provide secure collaboration and automation of the process.
Honoring Consumer Rights
With the CCPA, consumers have the right to access their personal information held by companies and have that information deleted or restrict how that data is used. Processing these requests in a timely manner is critical to adhering to the legal requirements as well as reducing overall costs. Organizations are therefore looking for ways to automate these workflows leveraging real-time data intelligence.
By rethinking privacy compliance, organizations can better prepare for this new wave of regulations, such as the CCPA. While this new approach offers companies a reprieve from government-mandated consumer protections and potential fines, it also ensures that their reputations are protected and builds trust and loyalty among their customers.