Click to learn more about author Anne Hardy.
On November 3, California voters passed the California Privacy Rights Act (CPRA). The new law expanded upon the existing California Consumer Privacy Act (CCPA) and brought its regulation closer to the gold standard of privacy regulation — the EU’s GDPR. The law’s focus on sensitive personal information, consumer rights, and data controller compliance is a step in the right direction for privacy and consumer protection. However, consumers won’t be the only ones impacted by the law. CPRA will change how enterprises prioritize Data Management, how they secure their data, and how they create their customer experiences.
Data Management Under CPRA: Back-End Work Moves to the Forefront of Enterprise Priorities
Data Management and governance have always been important but have largely been behind the scenes functions. However, CPRA is forcing companies to think about their data. Gone are the days of funneling mass volumes of data for the sake of having it. Now, organizations will have to be aware of the data they’re collecting and storing so they can produce records if requested — especially when failure to do so means a fine or, worse, a loss of consumer trust.
As more and more companies begin to operate under the rule of CPRA or rules like it — there is a proposed national consumer protection act in Congress — they’ll begin investing more in enterprise-wide Data Governance programs. They’ll dedicate infrastructure and manpower to not only keeping a defined record of their data but also making it accessible upon consumer request. By investing in better Data Management, organizations will be able to better guarantee and find business value in protecting/keeping account of consumer data.
Secure Organizations Under CPRA: Data Security, Data Privacy, and Data Governance
To remain secure under CPRA, organizations need to take a three-pronged approach. Specifically, they need to address the trifecta of data security, data privacy, and Data Governance. Data security is straightforward. Organizations need to keep data safe from breaches. However, it’s complicated by the mass migration to the cloud because companies are no longer only defending the traditional stack. As companies invest more in cloud infrastructure, they’ll certainly increase spending on application security — especially when breaches in security and malevolent attacks, like ransomware, have been reported by over half of global enterprises in the last year.
Data privacy is the obligation to keep consumers’ sensitive data accounted for, anonymous, and out of reach of those who shouldn’t have access. However, CPRA will not only protect consumers’ sensitive information; after three years, it also covers employee data. Companies need to be prepared to protect health records, social security numbers, and other personal information to be in compliance. While data privacy seems like an obvious necessity, consider the difficulty it presents. Organizations now, by law, are required to keep data private on two fronts: internal protection for the data collected from employees and external protection for the data collected from consumers.
Finally, Data Governance keeps data secure and private. Without a robust Data Governance program, ensuring who has access to which data will not only be a legal issue — it’ll also slow down day to day operations. Organizations can guarantee compliance and efficiency by investing in teams and software dedicated to keeping data where it needs to be with the appropriate parties. While initially balancing this trifecta may complicate traditional enterprise security plans, it will become easier because the relationship between the three individual measures of protecting data is synergistic. In other words, for one prong to be truly effective, all three prongs need to be working.
Complying with CPRA Will Redefine How Companies Curate Customer Experiences
A company’s success lies in its capacity to keep customers’ trust while offering them a personalized experience. Investing in comprehensive Data Management teams and the three prongs of security ensures compliance and allows companies to prosper. Even though there are new regulations and rules in place, CPRA presents a new opportunity for businesses to take advantage of and up their customer experience services and capabilities in order to increase revenue.
CPRA empowers consumers to choose if and what data they share. Fewer people will be opting in, so companies now have an audience that is interested in tailored offerings and experiences. It turns out, these are their best and most loyal customers. The data people are willing to share will not only shed light on the demographics of an organization’s staunchest supporters but also provide insight into the features that appeal the most to that same demographic. The days of hoarding data may be on their way out, but CPRA presents an opportunity for companies to collect data immediately relevant to their business. The opt-in feature may be an initial hurdle, but in the long run, successful companies will leverage volunteered information for individualized and innovative customer experiences.
The Future Is Regulated
In April, a McKinsey & Company survey found that 87 percent of consumers would not do business with companies whose security practices gave them concern. Since then, the global pandemic and the recent presidential election have pushed privacy and security concerns to the forefront of the national conversation. As the conversation grows louder, consumers are going to come to expect data responsibility from the companies they spend their money with — regardless of federal enforcement.
Moving into the new year, companies should invest in better Data Management, expand their security policies to include privacy and governance, and evolve their customer experiences — or risk losing potential customers. CPRA is coming, and its influence is spreading. Companies who want to keep growing their business must prepare for the change and accept their new data responsibility.