[co-authors: Caitlin Murphy, Andrew Shaxted]
The California Consumer Privacy Act (CCPA) is paving the way for an era of similar laws in states across the country. Rather than trying to adapt incrementally, companies should position themselves now for general compliance.
Data equals dollars in today’s digital age with personal information as the hot commodity. However, headline topping cybersecurity breaches have made consumers skittish about how companies handle the data they share online. Rising demand for greater protection of personal information and transparency about how it is used is driving change.
On January 1 of this year, The California Consumer Privacy Act (CCPA) became effective. Though still undergoing modifications, the CCPA is similar to Europe’s General Data Protection Regulation (GDPR). It guarantees consumers the right to “opt-out” of any sale of their data, enhanced privacy notice requirements, and more.
Like the GDPR, the California law will introduce new fines for non-compliance by corporations and lawsuit parameters for state residents impacted by the illegal processing and mishandling of their data. Enforcement will go into full effect on July 1 of this year.
Organizations with any level of exposure to U.S. markets are highly likely to be impacted by the CCPA. With the fifth largest economy in the world ($2.75 trillion in annual GDP), California is a commercial powerhouse unto itself. It’s also home to tech giants Facebook and Google.
And the CCPA is just the tip of a digital iceberg migrating across the U.S. As the California regulations gain traction, many other states are expected to follow suit and draft their own data privacy laws. As of the publication of this article, five states (New York, Nevada, Maine, Massachusetts and New Jersey) are considering CCPA-like regulations.
Waiting for the laws to take effect and revamping internal practices in response is an exercise in time and resource futility. Far better is to prepare for the coming wave of regulations by being in the best position to pivot to compliance as needed. The following five steps are a general guide to preparedness.
Establish a robust understanding of where your company’s data is located. Prepare a clear map of location and method for storing personal data (across digital and hard copies), noting how long the data has been there, how it’s been used in the past, and whether it was shared with other parties.
Look across all aspects of the enterprise — how will the new compliance obligations like those in the CCPA impact products, services, business process, internal systems, third-party relations, etc.? By ensuring compliancy with the new obligations, businesses can be proactive when it comes to adapting to future regulations in other states.
It’s crucial that companies keep pace with the latest privacy updates. This is where they should work with counsel and privacy experts to draft compliancy notices that accomplish three things:
i.) Provide a description of consumer rights under the law
ii.) List out third-parties to whom the business sells personal information
iii.) Categorize third-parties that the business has disclosed personal information
Make note of the deadlines for privacy notices. They may be staggered depending on whether they’re geared towards consumers or employees.
Knowing how data moves through the organization is essential — so is knowing how to shut off that valve. For instance, businesses should provide clear, easy-to-read consent requests as well as a “Do Not Sell My Personal Information” link on their website homepage. Implement a process for handling “Do Not Sell” requests that is easy for the consumer to navigate. That way, both the consumer and company know exactly where the flow of data stops.
At the same time, companies should review vendor contracts to ensure that the sale and use of personal information abide by the new laws. This will grant companies better visibility into the flow of a consumer’s personal information and enable them to respond to data rights requests in a timely manner.
How and when a company responds to a data rights requests is key. While this will require a substantial amount of effort, it can actually run quite smoothly if companies provide the consumer with the tools to make it easier for all parties. One way to do this is by providing a toll-free telephone number or email address where individuals can submit data access requests or privacy complaints.
By developing a workflow that efficiently fields requests within the designated timeframe, companies can effectively manage the different streams of requests without getting overwhelmed.
A smooth implementation inevitably depends on the allocation of resources and budget. Companies must ensure their efforts aren’t just implemented, but preserved and sustained.
Taking time to calculate sufficient budget and resourcing, then committing to the spend, will help keep privacy programs accountable to the goals they set. It takes time, material and experienced people to affect data privacy, but the results will ultimately outweigh the initial investment.