Imagine you’re a company with 1,000 customers and one day, your customers sue you for data security breaches totalling $750,000. Next week, you and your organisation face a class action lawsuit for privacy violations totalling $10,000,000.
The California Consumer Privacy Act of 2018 (“CCPA”) taking effect on January 1, 2020 makes this scenario possible very soon.
For each data breach under the CCPA, an eligible customer (i.e. California resident) can demand up to $750. For each violation of a CCPA provision, an eligible customer in a class action can obtain up to $10,000 if the CA Attorney General declines to prosecute and your business does not cure its violations within 30 days. CA – the most populous state in the United States – joins other states with data privacy laws, including Vermont, Colorado, New Jersey, and Washington in leading data regulation.
While organisations can build on their GDPR efforts to be in accordance with new CCPA rules, meeting GDPR laws by itself does not mean an organisation meets CCPA rules. Organisations should consider these three steps to prepare for the CCPA.
First, determine whether the CCPA applies to your business. If your company is small enough or does not deal with CA residents, the CCPA may not apply.
- Does your organisation meet the eligibility threshold? Over half a million companies are likely affected. The CCPA regulates companies that meet any of these three conditions: (1) achieve gross revenues that exceed $25 million, (2) sell data on over 50,000 consumers in any single year, or (3) derive at least 50 per cent of its revenue from selling consumer’s personal information (see Section 1798.140(c)). Note that, in contrast, the GDPR affects all organisations, including non-profits, established or offers goods or services in the EU.
- Does your organisation deal with CA residents? The CCPA defines a “consumer” as a California resident – a person who intends to reside in CA for the long term (see Section 1798.140(g)). As a result, this includes those who live in other areas, but intend to come back to CA for the long term.
- Does your organisation collect personal information (PI) on CA residents? Given the broad definition of personal information in the CCPA, the answer is likely yes. The CCPA regulates “any information” relating to a person or household (Section 1798.140(o)), as well as, going beyond GDPR, data from devices and inferences drawn from other information to create a profile about a consumer. As a result, the CCPA even regulates data that is not linked to a name, such as a household’s water consumption. Limited exceptions apply. For instance, the CCPA excludes information that is publicly available (Section 1798.140(o)(2)) or created due to conduct entirely outside of CA’s borders (Section 1798.145(a)).
Second, coordinate with your company’s existing GDPR efforts. If Capgemini’s survey is correct, you’re like the other 85 per cent of firms that did not fully meet the compliance requirements on time. While GDPR compliance helps with CCPA compliance, there are major differences, as the table below illustrates. For instance, note that the CCPA has the right to equal service and mandates businesses to include communication channels for their users to opt-out of data sharing.
Consider tools to simplify your compliance.
Compliance with the CCPA and the GDPR can be difficult for numerous reasons, including:
- No single view of customer. Due to hundreds or even thousands of different databases about your customer, you don’t have a single view of your customer. Because your sales, customer service, and marketing departments are collecting customer data separately, your algorithms may be using redundant or outdated data, generating incorrect customer insights. When you do try to compile customer insights, access to each database takes days because database administrators have to manually grant them. Relevantly for the CCPA, you may not even be sure you’re giving customers all of their relevant data or know which customers are CA residents or minors. The thought of meeting the 45-day deadline to return data requests seems impossible because of how difficult it is to get data now.
- Many users with different permissions. Since different databases have varying policies around who can access these databases and why, it’s highly possible that users and third parties – like Cambridge Analytica – are violating the resale or purpose restrictions of those databases. Your manual systems make it difficult to consistently document and audit data user behaviour, leaving your bases uncovered.
- Changing regulations require updates. Your company has thousands of databases and users. Existing policies are written in complex code and require a slew of data technicians to implement. For instance, GDPR may require you to mask certain data fields when users ask for PI. When new regulations, like CCPA come into existence, ensuring compliance across various datasets becomes a multi-year effort across legal and IT departments, costing millions of dollars of time and money.
However, you can’t just request customers to waive their rights; under the CCPA, these are unenforceable, deemed as contrary to public policy. Even more, these type of shortcuts destroy customer trust.
Given the compliance difficulties outlined above, data regulations require scalable approaches. Instead of reacting to the changing regulatory landscape in surprise after each new regulation, data governance tools put you one step ahead as a data-first, customer-centric business:
- No single view of customer – Consider data virtualisation. This method integrates data from disparate sources, without replicating the data, creating a “virtual” data layer. For the data to which they have access, users see just one set of data. They no longer have to recreate the wheel to discover which databases have relevant customer information or search through multiple databases and waste their time.
- Many users with different permissions – Consider data personalisation and audit logs. Based on a user’s attributes, such as the group they’re a part of or where they work, data personalisation capabilities ensure only the right users get access to the right data.
- Changing regulations require expensive updates – Consider natural language options. Instead of having to write code to filter or mask data to protect PI, use natural language to help non-technical employees, such as lawyers or compliance officers govern data appropriately. So instead of writing Python code, your data governors, for instance, can choose drop-down options that easily allow them to limit data for customer insight purposes and mask data columns involving age for those in the accounting department.
Ethical data science is good data science. Advanced data governance tools allow you to practice ethical data science, easily. By connecting different databases in a single virtual layer, personalising access to data, and easily applying regulations without code, advanced data governance tools can enable users to practice “data protection by design” – no more ad-hoc responses to comprehensive data regulations or addressing regulatory issues at the end. Look for a data management solution that will enable you to design a new system that seamlessly protects your customers’ data.
While nightmares of lawsuits related to new data policies and laws can be daunting for enterprises, the silver lining of data regulations like the CCPA is that is forces enterprises to take responsibility for how they access and use data – ensuring data is used ethically and with consumer consent.
GDPR and CCPA helps data science program leaders to convince key stakeholders to invest in data infrastructure that companies like Google and Facebook have had in place for years. In your grasp are a better understanding of your customer, trustworthy data, and more engaged prospects of those opted-into your business. GDPR and CCPA are tools to help your organisation transition into a data-first, customer-centric business.
Less garbage in means more diamonds out.
Dan Wu, Privacy Counsel & Legal Engineer, Immuta
Image source: Shutterstock/alexskopje