The California Consumer Privacy Act (CCPA) requires data identification beyond the scope of traditional personally identifiable information. Now, you must pay attention to IP addresses, geolocation and biometric data, website cookies, and more.
If you have any customers in the state of California (even if your business is not in the state), you’re affected. And the go-live date for compliance is January 1st, 2020.
Overview of the CCPA
Consumer’s rights have been greatly expanded:
- Consumers have the right to learn categories of personal information that businesses collect, sell, or disclose about them, and to whom information is sold or disclosed.
- Consumers have the right to request businesses to delete all the personal information that the business has collected about them.
- Consumers have the right to prevent businesses from selling or disclosing their personal data.
- Consumers have the right to hold businesses responsible for security breaches of consumers’ personal data even if consumers cannot prove injury.
- Consumers have the right to equal service and price, whether, or not they choose to exercise their privacy rights.
Companies seeking compliance with the CCPA are in for a challenge and massive financial risk. Not worried about fines for non-compliance? You shouldn’t be. The costs associated with failing to meet guidelines will be nothing compared to the hidden cost of simply responding to consumer requests.
Meet Subject Rights Requests (SRRs)
This is what it’s called when a consumer wants to know what information you have stored. With 45 days to respond to an SRR, it shouldn’t be too bad, right?
Here’s where things can get tricky. There’s a growing trend, cryptoparties – where privacy advocates join together as a sort of consortium. This enables people to easily make privacy-related requests which are submitted on their behalf. So now, we can’t assume the average consumer isn’t going to go through the hoops to manage their data.
There’s even a growing trend for consumers becoming entirely anonymous online – but that’s a topic for another time.
Real-World Scenario: 18 Million SRRs in One Year
When Microsoft launched its privacy self-service portal in response to the EU General Data Protection Regulation (GDPR), they received 18 million requests in under 12 months. And of these requests, over 6 million of them came from the U.S. alone. With GDPR in effect as of May 2018, many consumers are becoming increasingly aware of their privacy rights.
The CCPA will find an eager and educated audience ready to take advantage of their rights.
How Much Does an SRR Cost?
$1,406, says research firm Gartner, Inc. According to a multicountry online survey, organizations are spending (on average) a full working-week to respond to a single request.
Why so much? The answer is easy. Not only do consumers have the right to simply know what information you have stored, they have the right to control how you use it, and to edit (delete) it.
So, an SRR requires not only discovering the data you have spread across various systems, but also in communicating with consumers and meeting their individual demands.
And with data spread across the enterprise in multiple software applications, repositories, and content management systems, you need more than just data discovery and security tools.
How to Become CCPA Compliant
Unfortunately, there’s nothing you can buy to become compliant. Now, there are tools you will certainly need, but CCPA compliance requires best practices, training, and workflows all functioning in harmony.
At a minimum, you’ll need to:
- Automate and fulfill consumer data access and edit requests
- Continuously monitor and track consumer data
- Automate personal information data-linking
- Enable opt-out mechanisms
- Monitor and track consumer consent
- Assess your CCPA readiness
- Assess third party’s readiness
- Map all data flows
Where to Start?
The best way to start is to test your current capability to handle an SRR. Take a random sample of customers, and measure how long it takes to respond to various potential requests regarding their data.
Remember, the goal isn’t discovering if you’re CCPA compliant, but how long it takes you to be compliant. You’ll find all the records, but how painful is the process?
After you have completed the test SRRs, consider how many you could perform within a target response period, how much time it takes, and ultimately – how much it will cost.
And just as important, assess your existing technology and processes for creating a self-service response model (unless a manual approach will work for your organization).
The next steps all depend on your objectives for improving the process.