As many enterprises continue working toward General Data Protection Regulation (GDPR) compliance, they now face the California Consumer Privacy Act (CCPA), scheduled to go into effect in January 2020. The importance of the CCPA to U.S. businesses can’t be overstated. One in eight U.S. residents lives in California, and the state has the world’s fifth largest economy – ahead of the UK. So what happens in California doesn’t stay in California. The 1970 Clean Air Act, for example, recognized California’s lead in addressing air pollution, and 13 other states, about a third of the U.S. auto market, have since followed California’s stricter rules. So given the potential for gridlock at the federal level, California’s privacy law may well become the de facto standard that other states will follow in developing their own regulations.
U.S. businesses thinking about their CCPA strategy may also want to consider an important cultural shift. Consumers are far more knowledgeable about and sensitive to privacy issues today, so failing to comply with the CCPA could cause serious brand damage. This is changing the way many businesses approach privacy. Recently, premiere technology journalist Kara Swisher spoke with Microsoft President Brad Smith, who has been testifying before Congress about privacy since 1986. In this conversation, Smith emphasized shifting attitudes toward protection of privacy and the importance of the California law. Apple’s Tim Cook has also said that privacy is a “crisis” and is a vocal advocate for consumer privacy. In fact, many companies are reporting that there are business benefits to approaching privacy from the strategic level.
According to an Internet Society report, most organizations are not ready for the CCPA and other existing and upcoming privacy regulations. In this post, we’ve listed some of the main questions we’re hearing from our members and gathered some great resources you can consult to find the right answers for your organization.
What’s the difference between CCPA and GDPR? For example, is personal information defined differently in each?
While the general purpose of the two regulations is quite similar, there are key differences, including the scope and territorial reach of each, definitions related to protected information, levels of specificity, and an opt-out right for sales of personal information. Legal and business experts have published excellent resources on the differences between CCPA and GDPR, including:
How can we satisfy data deletion requests?
Under the CCPA, consumers have the right to demand that a business delete the personal information it has collected, subject to certain exceptions. The business must also instruct its service providers to delete the data. Complying with this provision remains tricky. Some of the confusion stems from the need to balance different obligations, such as a consumer’s desire to have their data deleted vs. a legal obligation to preserve. There are several exceptions to the need to comply with a deletion request, so a company with good information governance practices will be much further along in understanding the overriding obligation.
A great resource for gaining a deeper understanding of this challenge is “Forget Me Not: Business Challenges Over Rights to Erasure & Threats to AI,” which takes a deep dive into balancing AI projects and the right to erasure. Other resources include:
How will the CCPA impact consumers? How will it impact small businesses? Does the CCPA apply to employees?
Many businesses continue to keep their collective heads in the sand when it comes to the CCPA, preferring to wait for more evidence of fallout before investing in compliance. The more they know about all the possible impacts of the regulation, the less likely they are to continue with this dangerous strategy. The law is not going away, so there are things that companies can and should be doing now.
Will my GDPR efforts pay off when it comes to CCPA compliance?
If your approach to GDPR compliance was to improve your data management and governance capabilities, then the answer is a definite “yes.” The same can be true of your investment in CCPA readiness. Improving your data management and governance capabilities, including establishing a privacy governance structure and conducting privacy training, will make it far easier for you to prepare for the next major privacy law to come along.
Listen to this webinar, “Lessons Learnt from the GDPR to Help Accelerate Your Readiness for Data Privacy Regulations” for a great discussion of common GDPR challenges, what organizations learned from them, and how you can accelerate CCPA and other data privacy regulation readiness.
Next steps? Start by assessing the required effort to build your program. Have you started related initiatives, such as mapping your data? What is the risk to your organization of non-compliance? Decide what you are willing to invest to mitigate those risks. Take reasonable steps to achieve compliance. You likely won’t achieve 100 percent compliance, but you should be able to demonstrate to a regulator that you’ve designed and built your program to work toward that goal. By demonstrating a sustained effort toward building a data privacy program, you can potentially lessen the burden of penalties if a regulator finds a violation.
To learn how information governance can support data privacy compliance, including the CCPA, download the CGOC Information Governance Process Maturity Model.