First, there was the GDPR, with organizations around the world scrambling to create cookie and privacy policies to ensure that their data storage and use would meet the restrictive standards imposed by the EU. For smaller organizations in the U.S., the GDPR didn’t cause quite the fuss as it did for multinational corporations. The California Consumer Privacy Act (CCPA) has the potential to upset marketers and technology experts in businesses of all sizes — especially since it’s expected to unleash the floodgates for other states to declare their data privacy standards. The CCPA goes into effect January 1, 2020, but what exactly does that mean for your business?
The CCPA Provides Ownership, Control and Security Over Personal Information
At the heart of GDPR as well as CCPA are the rights that individuals have over the ownership, control and security of their personal information. When businesses are allowed to share data, precisely which data points can be shared, who they can be shared with and how individuals are able to request complete deletion of their information from an organization’s database. There are some high-level rules that help determine the businesses that must comply with the regulations, including:
- Any business or for-profit entity that does business in California
- Organizations with $25 million or more in gross annual revenue
- Maintaining personal or household data for more than 50,000 organizations
- Whose annual revenue is composed 50% or more of selling the personal information of consumers
Unfortunately, GDPR compliance does not guarantee that your business will be compliant with California’s new regulations around consumer data.
What Are the Challenges with CCPA Compliance?
California’s new consumer data policies mirror the GDPR policies in many important ways, meaning organizations who have already invested in GDPR compliance may be far ahead of their competitors who are just embarking on this journey. Compliance with these prohibitive policies may require consolidation of a massive amount of information from multiple disparate databases, something that cannot be accomplished quickly or without cost. Organizations are expecting to spend upwards of six figures to become compliant, with businesses with reliance on selling consumer data projecting a significant reduction in revenue opportunities. Simply identifying all the personal data that is stored within your various applications can be difficult, but under CCPA you must also be able to identify where and how the data is being used, who owns the data, who creates it and more. Plus, individuals must have an easy way to access their data storage preferences and effectively erase themselves from your corporate databases.
How Can You Get Ready for CCPA Compliance by January 2020?
Data consolidation is one of the key initiatives for businesses, and many organizations will need to retain an attorney to work through the various requirements and ensure that the business is fully compliant. There are also privacy notices that must be posted on digital channels such as websites and mobile apps, letting consumers know how their data is being stored and used by the business. Data breach reporting is another crucial part of CCPA compliance, as you’re required to maintain roles and responsibilities for data sets as well. Although California was the first state out of the gate with a new compliance ordinance, it’s unlikely that they will be the last. This will introduce the additional complexity of determining where your users are located and tracking their behavior over time to ensure that you’re delivering the correct privacy policies based on their geographic location.
Data governance is not a new concept, but the level to which organizations are now being required to track minute shifts in information is often costly and time-consuming. It’s crucial that you work with a technology services partner who truly understands the requirements of CCPA and GDPR, and stays up-to-date with new legislation as it is introduced to ensure that your compliance is in order. With penalties of $7,500 per intentional violation and $2,500 per unintentional violation, businesses are going to be extremely motivated to become compliant.