The California Consumer Privacy Act (CCPA) will usher in a new era of data privacy when it comes into effect on 1 January 2020. The Act will bring European-style privacy requirements to businesses that collect and control California residents’ personal information, do business in the state, and meet certain revenue thresholds.
While complying with the Act will take effort and resource, it will also help you better serve customers. Recent high-profile privacy cases, such as the Facebook-Cambridge Analytica scandal, have made consumers more aware of how their data is managed and the choices they have. So, preparing for the CCPA now can set you apart from your competitors.
Our work on over 50 privacy projects in the last year (largely helping global organisations respond to the EU General Data Protection Regulation has taught us that early preparation is vital.
Given the strong and open opposition to the CCPA by some companies, the final compliance requirements will likely evolve before it comes into effect.This makes adhering to the spirit of the regulation, rather than the letter, the most sensible option. It’s essential to understand your privacy capability gaps and define your operating model around data privacy, with specific capabilities, roles and responsibilities.
You need to get your operation ready, from understanding how you’ll engage customers and handle their inquiries, to knowing how you will cope minute-by-minute in the wake of a data breach. Only by going through this process will you fully realise the day-to-day impact of the CCPA. At a minimum, your operating model will need to consider:
In Europe, many organisations that were underprepared for the GDRP regulation were later caught out by their customers and suppliers asking for assurances around their compliance. As the CCPA date approaches, you can expect those that you do business with to seek assurances around your information security controls and ability to handle a data breach. You can also expect changes to contracts that enable right to audit clauses and service level agreements around data processes.
We found that the organisations that were able to respond most effectively to this ripple effect were those that had already taken the time to get their house in order. They were able to demonstrate compliance and provide assurances to their customer base, preventing costly and distracting audits.
Our recent work for a global asset manager with $700 billion in assets helped them dramatically increase their compliance position, build confidence with investors, and embed privacy capability across the organisation. This means they are now well prepared for the CCPA and can be confident that future privacy regulation will require only an incremental effort.
Your privacy program should embed the capability to comply with any future state-level regulation that might be released – this will prevent the need to run a separate program for every new privacy regulation that comes along.
A global movement towards increased data privacy is changing the way companies do business. Are you ready for the new era of data privacy?