The California Consumer Privacy Act (CCPA)—sometimes referred to as California’s equivalent to Europe’s General Data Protection Regulation (GDPR)—represents a turning point moment in the digital era, changing the way businesses collect, process and retain information on customers. The law, which became operative January 1, 2020, grants consumers the right to request that a business disclose the categories and specific pieces of personal information that it collects about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared, among other rights.
While many U.S. companies have convinced themselves that they need not concern themselves with complying with the GDPR’s requirements, the CCPA is shaping up to be a game changer. Given the importance of the California market, U.S. companies are realizing that they will not be able to opt out of privacy. Indeed, CCPA’s most important legacy may not be the privacy law itself, but the legislation it inspires: Already nearly two dozen states have publicly pledged to enact their own updated privacy laws. In addition to California, Maine and Nevada also have privacy policies in place. At this rate, we will soon have a pseudo federal law, but without the benefit of uniform application across all states: It will become increasingly impossible to do business in the U.S. without bumping into one of these emerging privacy laws.
Though the popular view is that Washington, D.C. is in a permanent state of gridlock, the possibility of passing a federal CCPA-like law may be far more likely than businesses assume. Even without a change in the Oval Office, bipartisan privacy bills in the House and the Senate are moving to reconciliation right now, and they are likely to be put forward after the next election, whether the current administration stays in power or not.
Trying to comply with a patchwork of laws could prove more onerous than a single federal one for business. Even organizations against regulation are starting to recognize that a single, consistent law will probably be less costly than potentially 50 individual state laws. Some form of federal legislation is likely to be passed.
ADDING COMPLEXITY AND UNCERTAINTY
The exact impact of CCPA compliance on companies—both financial and in terms of the business model—will depend on how data centric their business model is and on the industry in which they operate. However, businesses are rightly concerned about the cost of complying with the law. In fact, a standardized regulatory impact assessment report prepared for California’s Office of the Attorney General estimated that CCPA compliance could cost businesses $55 billion in initial charges. Organizations can expect to see privacy budgets equal to, if not greater than, their security budgets, depending on their business models.
For a low data-centric organization, the impact might be minimal. But for a highly data-centric organization, such as a social media company that aggregates consumer-browsing habits and resells the information, a more expansive definition of privacy could be shattering. Some business models could be practically legislated out of existence, depending on what variants of the law are passed.
And while much of the attention to date has been on privacy as it relates to consumers, industry- specific privacy issues add a layer of complexity. We’re beginning to see business-to-business privacy requirements, with companies contractually requiring that vendors and sub-contractors meet CCPA and GDPR regulations to simplify their own ability to comply with the laws.
PREPARING FOR THE INEVITABLE
What should organizations be doing? As with any regulation, complying with the CCPA is both a risk management exercise and a potential opportunity. From a risk perspective, companies need to be prepared, at a minimum, to meet the highly visible requirements most likely to bring them to the attention of consumers, regulators and class-action attorneys. Specifically, businesses need to make sure that their public-facing privacy and cookie policies pass muster; that they are prepared to field consumer requests as mandated by the laws; and that they are prepared to handle security incidents effectively and in a manner that minimizes consumer impact. In this respect, a key step—and it sounds easy—is to understand what type of data is passing through your environment. Where is it coming from? Where is it going? What systems in the environment is it passing through? Without a thorough understanding of your data, you can’t meet those key, high-visibility requirements.
Once the data is understood, the next key risk-mitigation step is to simplify it. It is important to create data governance structures, reduce the duplication of data across the enterprise and hold the business units accountable if there is a change in the way data is used. Get it out of employees’ in-boxes, out of their local hard drives and off their network shares. That way, when the laws pass, you will have only a few areas where you’ll need to show you’ve hardened down.
A SILVER LINING
If a data mapping is a key requirement to enable providing the required notices, responding to consumer requests and appropriately managing security incidents, it also represents an opportunity to think through how to leverage this new, in-depth knowledge for novel products and services. As with any other regulation, the CCPA’s challenges also present opportunities. Rather than thinking of the CCPA as a narrow compliance exercise, businesses can consider what a thorough understanding of data flows presents for the future. Can any new services be delivered to consumers?
Many consumer companies have long espoused data privacy as a competitive differentiator in the market, making it an integral part of their messaging. The CCPA presents an opportunity for businesses more generally to consider adopting a similar posture. As consumers become increasingly aware of the threats to their data privacy and start demanding better protection, those companies that take a progressive approach to embracing privacy will position themselves to meet evolving consumer demands—and to win in the marketplace.
