Click to learn more about author Daniel Wu.
The California Consumer Privacy Act of 2018 (CCPA) will take effect on January 1, 2020, and much like the European Union’s (EU’s) General Data Protection Regulation (GDPR) scramble earlier this year, organizations have a lot to do in preparation – or risk paying the price.
For each data breach under the CCPA, an eligible customer can demand up to $750. For each violation of a CCPA provision, an eligible customer in a class action can obtain up to $7,500 if the CA Attorney General declines to prosecute and the business does not address its violations within 30 days. Imagine you’re a company with 1,000 customers and your customers sue you for data security breaches totaling $750,000. The following week, your organization would face a class action lawsuit for privacy violations totaling $7,500,000.
For some companies that are small enough or do not deal with CA residents, the CCPA may not apply. But for more than half a million companies that will be affected, it’s time to get serious about compliance. But that’s easier said than done. If Capgemini’s recent GDPR Readiness Report is any indication, most companies will fall into the 85 percent that did not fully meet the GDPR’s compliance requirements on time.
Customers care about data protection too. According to a recent RSA survey, 69 percent of respondents said they would boycott a company with poor data protection. In fact, research from Harvard found that after a data breach, companies with poor data protection practices suffered a 1.5x larger drop in stock price than firms with better practices. Safeguarding your consumer’s trust through responsible data practices should be a business imperative.
While organizations can build on their GDPR efforts to be in accordance with new CCPA rules, meeting GDPR laws alone does not mean an organization is CCPA compliant. For organizations just getting started, this article will explore the key aspects of the CCPA laws and the tools companies can use to prepare.
Broader Definition of Personal Information
One of the key differences between GDPR and CCPA is that CCPA has a broader definition of personal data, linking the definition to data that could identify not only consumers, but also households. As a result, IP addresses and cookies could be personal data, as well as profiles of people from combinations of personal and non-personal data.
When new regulations like CCPA come into existence, ensuring compliance across various datasets becomes a multi-year effort across legal and IT departments. Think: endless meetings between governance and technical personnel and thousands or millions of dollars of IT spend. Existing database policies are written in complex code and require a slew of data technicians to implement. For each database, technicians have to tag data as personal data, for instance. Imagine having to propagate these changes across multiple datasets and databases across your entire company?
Rather than having to write code to filter or mask data to protect personal information (PI), simple English language options such as a policy engine can help non-technical employees, such as lawyers or compliance officers, govern data easily. So, instead of writing Python code, your data governors, for instance, can tag data – like IP addresses – as personal data. For example, they can choose easy-to-understand drop-down options that allow them to mask data columns involving personal details that are not relevant to them. Tools like this increases your company’s ability to navigate data regulations quickly, saving time and money.
Furthermore, global policies on unified data layers can help companies enforce policies across all their data easily. Data unification creates a virtual data layer for all data, so data users or governors only have to log onto and create policies on the data layer. No longer do they have to waste time going into each database manually. These tools propagate policies across all your databases that match certain rules. As a result, your technicians no longer have to waste time programming each dataset.
CCPA Consumer Rights
Much like GDPR, the CCPA provides key rights to CA consumers to access, erase and opt-out of data collection and processing. Below are some of the specifics under the new regulations:
- The Right to Information and Access: Companies must proactively disclose access rights and the categories of PI, their purposes (and be notified if companies diverge from that purpose), and categories of third-party buyers for the prior 12 months. Consumers can also request this data for the preceding 12 months. This must include communication channels for these requests, including a toll-free number and online form.
- The Right to Portability: This enables businesses to receive PI that is structured and machine-readable to transmit to other companies.
- The Right to Erasure: Businesses must delete PI once they receive the request to do so, unless data deals with an assortment of conditions, such as data security, repair errors and compliance.
- The Right to Opt-Out of Processing: Consumers can opt-out from the sale or processing of PI. In their privacy policies and homepages, businesses must disclose the right to opt-out and provide communication channels such as an online form and toll-free number, specifically stating “Do not sell my personal information.”
- The Right to Equal Service: Consumers who exercise their privacy rights will get the same level of service and prices as those that do not, unless the difference is reasonably related to the value provided by the PI. Companies can also offer financial incentives to consumers for the sale and collection of their PI.
- Minors: Businesses who sell the data of CA residents under 16 years of age must get affirmative consent.
Unfortunately, it’s often challenging for businesses to meet these customer requests for data. Due to hundreds and sometimes thousands of different databases, organizations often don’t have a single view of their customers, especially because different departments are collecting customer data separately. Further compounding delays in meeting data subject requests is the manual process it takes to access each database. As it relates to CCPA, if you can’t easily access all customer data, you may not even be sure you’re giving customers all of their relevant data or know which customers are CA residents or minors – let alone meet the 45-day deadline to return data requests.
Data unification is vital to helping companies obtain all existing customer data easily. By using queries of names and emails, for instance, companies can find and join all relevant datasets for governors to review before giving customers access to the data or deleting it. They no longer have to recreate the wheel to discover which databases have relevant customer information.
Controlling Access to Third-Parties and Other Users
Businesses that sell PI to third-parties must enter into written agreements with that party, promising to only use the data for the purpose of the contract. A third-party that seeks to resell PI must give the original consumer explicit notice and an opportunity to opt-out of that resale.
Since different databases have varying policies around who can access this data, it’s highly possible that users and third-parties – like Cambridge Analytica did – are violating the resale or purpose restrictions of those databases. Manual systems based on Excel or paper policies make it difficult to document and audit data user behavior, exposing your business to additional risk.
To help mitigate these risks, the aforementioned policy engine can help ensure that only authorized users access the correct data. Based on a users’ attributes, such as their department or office location, data personalization capabilities ensure only the right users get access to the right data. With regards to the CCPA, policy rules can ensure the right third parties only access data to which consumers consented to sharing. Additionally, purpose-based restrictions, as the name implies, restrict data access based on purposes, which can further assist with transparency and accountability, especially when dealing with highly-sensitive data.
Another solution is to look at data on a single layer – with insight into all queries and data – enabling companies to document and monitor high-risk activity. This eliminates the need for data governors to pore through uncustomized database logs created for debugging across multiple databases, allowing them to stay on top of high-risk data processing activities. By accessing and processing data on the data layer, local copies can become a thing of the past. Self-service tools — like Tableau or Looker — allow data users to immediately query data and analyze it directly on the virtual data layer, posing fewer security and legal risks. With tight control over data access, data has clear provenance, and governors won’t worry whether local datasets adhere to their original security, purge and audit requirements.
While the prospect of lawsuits related to new data policies and laws can be daunting for enterprises, the silver lining of data regulations like the CCPA is that it forces enterprises to take responsibility for how they access and use data – ensuring data is used ethically and with consumer consent. Although complying with new regulations is no easy feat, data governance tools and policies can help usher in a new wave of accurate, accessible and more secure data processing. Use these laws and tools as an opportunity to solidify your consumer’s trust and ensure your big data programs become assets, not liabilities.
Note: this is a broad overview of a consumer’s key privacy rights and not legal advice; work with your internal counsel to patch gaps between the GDPR and CCPA as needed.