Get Ready for CCPA – Top 5 Challenges for Businesses

Less than two years after GDPR went into effect, a similar sense of unease is building in the United States as businesses struggle to become compliant with California’s new CCPA legislation (California Consumer Privacy Act) and to understand what it will mean not just in that state, but across the nation.  With California representing 14.5% of U.S. GDP[1] and 12.0% of the overall population, there is too much at stake to stop doing business in that state, a tactic a few used instead of continuing to do business in the E.U.  With the January 1st, 2020 effective data looming efforts are complicated by the peak season for many businesses that are primarily focused on making their numbers.  Come January first, many executives will be asking “Can we become compliant before we get fined?”

At a practical level, CCPA is just another major step in the natural progression and solidification of the overall shift in the marketer-customer dynamic that we have seen over the last decade.  The fact that this comes to us at the state level is not surprising considering the country’s foundation of states’ rights, but we expect this is most likely the forerunner to national legislation that should be easily justified.  The Commerce Clause of the U.S. Constitution alone should suffice, but the growing need to harmonize overall data privacy legislation with other existing national laws that are currently only niche in focus, such as HIPAA, may be the stick that pushes Congress to finally act.  Harmonization of data privacy legislation will not only benefit consumers by making their rights easier to understand and defend, it will also be business friendly.  Instead of businesses trying to figure out what the ever-changing set of laws are in all 50 states (not to mention foreign nations), a singular set of domestic laws will greatly simplify life for technology, product, marketing, and legal teams in every organization.

While we wait for the government to get their act together, we’ve created a quick list of the top CCPA challenges we think everyone should keep in mind as they help their businesses become compliant:

Top 5 CCPA Challenges for Businesses

They Let Lawyers Write It.  Unlike GDPR, CCPA was not written in plain language despite requiring information provided by businesses to consumers be “provided in a manner that may be easily understood by the average consumer”.  As non-lawyer stakeholders across Marketing, Technology, Data Management, and other teams try to figure out what it means to their staffing, technology, and planning requirements, this adds an unnecessary layer of confusion and will hinder compliance.  If you do not have an internal compliance team, look for experienced external consultants to help you through this process.

It’s Going into Effect Unfinished.  The State of California readily admits the legislation is incomplete and will likely see additional changes after the date it goes into effect (1798.185).  This effectively makes it impossible for an organization to be fully compliant, or even fully confident in the elements that they believe are clearly laid out in the current version.  This will add additional burdens of cost, time, frustration, and the risk of damaging litigation to the average business.  Plan for second phase (after July 1st, 2020) to address expected changes in the first half of 2020.

It Is Not a Single Source of Truth.  Other pieces of California state legislation, such as breach notification, are separate from CCPA.  Additionally, requirements for data collection on minors is different from COPPA, creating the risk of potential conflicts that will create a burden on businesses having to balance federal and state level laws.  There are two common approaches here.  The more complicated is to have a California only policy and one for everyone else.  As more states adopt this type of legislation, data management will become more difficult.  The simpler approach is to treat everyone as if they have the rights granted to those under the most restrictive set of legislation and apply it to all consumers.  While not always ideal for all businesses, managing one set of rules will always be less risky and easier to execute.

How to Deal with Existing Records Is Not Explicitly Defined.  Much like GDPR, there is no clear vision on what must be done with existing consumer records.  CCPA explicitly does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act as part of an acquisition or similar event but this is not clear for ongoing business operations.  The safe play here is to bundle the new rights communications as part of an overall terms & conditions update that is now commonplace.

More Active Data Strategies Will Be Required.  CCPA requires more granular event recording than exists in most companies.  Going beyond the data that was collected, businesses must also retain records of what data was disclosed, sold, and interestingly not sold, and to what 3rd parties.  For most businesses automation will be required to make this happen in a cost-effective manner going forward, to comply with the clearly defined response time frames outlined in the legislation, and to have the foundations in place to deal with an audit.  Addressing this should be part of your overall data asset development strategy and overall business health reporting.

As we have seen with other data privacy legislation around the world, data privacy compliance will continue to evolve.  Businesses that meet, or exceed, these requirements will find themselves at a reduced level of risk from fines, have stronger relationships with their customers, and should see competitive advantages compared to those who lag behind with their compliance.

For more on our CCPA Assessment Services, click here

For more reading check out:

California Consumer Privacy Act of 2018 (Full Text)

California Data Breach Notification (Click here)

Sources: [1]

%d bloggers like this: