CCPA is fast approaching. As of this writing, organizations have less than three months to prepare for the new data privacy law. A section that is of most interest to consumers is Section 2 (i), which reads:
Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
The law is pretty clear: Californians have the right to know how their personal information is gathered and used, and they have a right to dictate how organizations use their personal data. But how well are organizations preparing to provide Californians full coverage under the law?
Not well at all, actually. The Internet Society’s Online Trust Alliance (OTA) came out with a report that revealed the majority of organizations aren’t prepared to meet CCPA, as well as other privacy laws. For example, the study found that while privacy laws include language about data sharing, less than one percent of organizations have addressed third-party data sharing and none of the companies had any language regarding users being notified if their information was sold or shared. Organizations do a little better when it comes to relating why data is collected, with almost all companies providing language for explanation, but organizations do a poor job in providing customer access for user data. As the report stated, while companies may be lax on this access because there are currently no U.S. laws requiring a high standard of user access, “this will change, however, when the CCPA data access request goes into effect in 2020. Even U.S. companies will have to be much more transparent about user access to their data if they do business in California.”
How to Approach Section 2 (i)
One key point to highlight is the challenge that organizations will have in meeting the Request for Disclosure within the 45-day window, explained Robert Cruz, Senior Director of Information Governance at Smarsh, a Portland, Oregon-based provider of cloud-based information archiving solutions. This objective was a stumbling block for many companies when they were addressing GDPR Right of Access requests, so Cruz expects organizations to struggle with it under CCPA.
This challenge stems from several different areas, according to Cruz: 1) many firms continuing to rely on outdated, poorly performing data extraction systems; 2) the large volume of content that could potentially be requested, reaching back to 12 months prior to the request; and 3) the growing heterogeneity of content from new sources including text messages, social media, collaborative networks, and ephemeral sources.
“Searching multiple locations for data – more of which is outside of IT control – will be a major effort for firms that do not have a centralized system for extracting or deleting data and those who are not actively archiving client communications,” he said.
The second key point is the incorrect conclusion that some may come to regarding the relatively light penalties against violators ($100-$750 min/max damages) in contrast to the large fines of the GDPR.
“What firms should consider is that violators can also be exposed to civil litigation, as well as fines imposed by the FTC,” said Cruz. In the case of GDPR, the FTC has been quite active, reaching settlements against Facebook for $5B, $700M with Equifax, and $22M against Google. And this doesn’t include the costs surrounding reputational damage to firms that are found to be lacking in how they are managing and protecting personal data.
“Borrowing a concept from GDPR, firms that have implemented proactive steps to dealing with data privacy by design and default will be separated from those that haven’t, which will translate into customer churn and ultimately impact revenue,” Cruz added. “Inspection of systems and processes must extend not just to internally managed data, but also to a firm’s growing network of cloud service providers.”
How to Best Protect Customer Data for CCPA
As businesses prepare for CCPA enforcement, they will need to understand how to protect customer data while also continuing employee education about data ownership and protection.
Employees also need to understand what CCPA compliance is and how to address the handling of customer data. The more regulated this data becomes, the greater the need for businesses to learn about and put in place, provisions to adhere to these regulations. “Businesses will need to be ready to respond to customer requests such as requesting a copy of the information being kept about them, or asking that all information about them be removed,” said Heather Paunet, Vice President of Product Management at Untangle.
Finally, businesses will also need an effective communication strategy to outline when customer information may be sold or disclosed for business-related purposes. “Transparency in data collection will be a foundational pillar for businesses looking to maintain a trusting relationship with their customers,” she added.
Time is running out to be ready for January 1 and CCPA. But it’s not too late to prepare. With the right technology solution businesses can simplify the confusion and complexity of regulations and ensure their sustained compliance.