The California Consumer Privacy Act (CCPA) is the first major piece of United States privacy legislation, but it won’t be the last. There are already similar bills in the works in Washington, Hawaii, Massachusetts, New Mexico, Rhode Island and Maryland. Introduced on June 28, 2018, the CCPA adopts much of its framework from the European Union General Data Protection Regulation (GDPR) – although there are some subtle differences. For example, the CCPA extends its protections to households and devices, not just individuals, and includes the right to opt-out of the sale of personal information.
If there is one lesson we learned from the May 25, 2018 GDPR deadline, it is that companies did not give themselves enough time to prepare. Anecdotally, we witnessed the public-facing work to update privacy policies and implement cookie banners, but was the same attention given to the tedious (and often manual) task of preparing data inventories behind the scenes? Are companies equipped to process consumer privacy rights requests like the right to deletion?
Our research suggests a lot of companies were blindsided by how much time and money it takes to sustain compliance. With less than four months until the California Consumer Privacy Act goes into effect on January 1, 2020, this article provides actionable steps for how to work toward a sustainable compliance program.
Data point two: Implement a notification banner
Data point three: Build your data inventory
Sustained compliance is an ongoing process that requires granular visibility into dynamic business systems. It’s not uncommon for a Fortune 500 company to have more than 100 business systems that contain personal data, each operating independently. You could build your data inventory through manually-conducted surveys and questionnaires, but these static lists are time-consuming, error prone, and are immediately outdated – especially without an additional process to update them when new systems come online. Companies that seek to implement a sustainable compliance program should consider solutions that enable them to integrate business systems to streamline response to California consumer privacy rights.
Data point four: Establish a workflow to respond to consumer rights requests
Responding to California consumer privacy rights could introduce a second tedious process if your company has not prepared by integrating its business systems. The manual response to manage these privacy requests requires complex data inventories to inform multiple system owners of the data that needs to be deleted. This can become a rather expensive process since legal counsel is frequently employed to manage these requests.
Data point five: Hard deletes aren’t easy
One potential pitfall when responding to the right to be deleted is the difference between a hard delete and a soft delete. A soft delete, such as removing information from a dashboard, does not necessarily mean it has been deleted from your processor. A hard delete will typically require an email to your processor to ensure this data has been deleted, both by them and by their sub-processors. Again, this can become a tedious manual process when business systems have not been integrated.
Data point six: Third-party providers, all on one page
As evidenced by the complexity of managing hard deletes, it is critical to ensure that third-party service providers and partners that store protected data have also implemented a sustainable compliance model. Implement contractual obligations, such as a data privacy agreement, to ensure your partners are working toward the same standards as your company. And reconsider working with your service providers if they have not completed their associated data inventories or are unable to integrate with your business systems. The last thing you want is for your company to be penalized because of a mistake by your partners.
Coming into effect January 1, 2020, the CCPA creates many new compliance requirements for businesses. Preparing early will give companies an edge and decrease internal stress on businesses that are subject to the new law. Finding solutions that provide sustained compliance and figuring out where data currently lies internally will be keys to success. Evident from the implementation of the GDPR, taking action now is necessary for companies to be ready.