CCPA: The 800-Pound Regulatory Gorilla

By on

Click to learn more about author David Stills.

Ready or not, the California Consumer Privacy Act (CCPA), the hulking silverback of 800-pound gorillas, goes into effect January 1, 2020.

How is CCPA like an 800-pound gorilla? The old joke asks, “Where does an 800-pound gorilla sit?” The answer is “Anywhere it wants to.” While CCPA was legislated to protect the data of California residents, data has no boundaries; therefore, CCPA sits where it wants, affecting businesses in other states. Just as an 800-pound gorilla has no natural enemies or predators, the CCPA represents the current dominant force for setting a new national data security and privacy policy in the United States.

As many have pointed out, CCPA shares much of the DNA contained in European Union’s (EU) General Data Protection Regulation (GDPR) that went into effect on May 25, 2018. These include the right to be forgotten, the right of portability, and the right of access to data. These new laws and regulations show their teeth by affecting businesses whether or not they reside in California (or the EU, in the case of the GDPR). This regulatory beast will catch half of U.S. businesses off-guard because they will not be compliant by the deadline, according to a PricewaterhouseCoopers (PwC) survey.

What Businesses Are Affected?

The law affects any business with at least $25 million in annual revenue that buys, sells, or trades personal information of California residents. In addition, any business that gathers the data of at least 50,000 consumers or earns more than half of their revenue from the sale of personal data is included in this regulation.

Where to Begin

The first task to take on for companies seeking CCPA compliance is to map the consumer data that they have been capturing across Customer Relationship Management (CRM) systems throughout the years. Some companies might have to map 50 or more locations of Personally Identifiable Information (PII) scattered across their systems. Mapping will require identifying what type of data they have, where it is stored and transmitted, and how it is used even among third party vendors. Many organizations will need to implement new data integration technologies such as Tableau or Microsoft Power BI, to be able to connect disparate and siloed data.

Once that large task is completed, the next step is to develop a plan and a process to comply with CCPA consumer requests. To comply with CCPA, businesses must be able to document and demonstrate the plan to prove that it works.

CCPA requires businesses respond to consumer rights requests within 45 days. Businesses are obligated to disclose what data they have been collecting, for what purpose, and what third parties share the data. They must provide consumers with access to a portable transmittable format of their data. Consumers also have the right to opt out of data gathering as well as deletion of any PII.

Information Technologies Needed

To accommodate the enormity of the CCPA 800-pound gorilla, businesses may require new technologies such as data mapping and integration tools as well as continuous backup and security solutions. Some companies might already have policies and procedures in place that will help with a readiness assessment. They will follow a readiness assessment with new business processes, including documenting and mapping the use of consumer data and keeping that up to date. If businesses are not already following a cybersecurity plan such as ISO 27001 or NIST, then they need to ensure data at rest is encrypted to reduce risk of data breaches. Finally, employees must be trained on how to handle customer PII.

CCPA Compliance

While the cost of compliance can be daunting, with many estimates in the six-figure range, the cost of non-compliance can be even more overwhelming. Non-compliant companies face fines and penalties of up to $7,500 per violation for civil suits. Possible class action suits can cost a company up to $750 per consumer per incident or in actual damages (whichever is greater), whether the violation is intentional or unintentional. In either scenario, where cases routinely cover multiple records and incidents, penalties add up fast.

Many businesses are employing managed security systems providers to sort out the details with complex tools to identify and organize collected data while providing consumers with easy access to delete or modify it.

If companies can document, demonstrate, and prove their CCPA compliance plan, then they shouldn’t have to worry about the CCPA going ape.

Leave a Reply