Depending on where you live, summer’s heat may be coming to an end. But another heatwave is sweeping across businesses with full force — the pending California Consumer Privacy Act (CCPA). To prepare for the latest GDPR-like data privacy wake-up call, companies are rushing to devise strategies to operationalize the capabilities necessary to demonstrate CCPA compliance.
But with almost a dozen other states planning similar laws, it would be a mistake for companies to solely focus on the CCPA. When the other states eventually pass their own flavor of CCPA, businesses will just find themselves reinventing their compliance controls over and over again.
Who Should Be Thinking About CCPA?
Contrary to popular opinion, CCPA doesn’t only impact Golden State businesses — it affects any large company that does business in California. More specifically, we’re talking about companies with annual gross revenues of $25 million or higher that handle personal information for more than 50,000 consumers, households or devices, or that derive more than half their annual revenue from selling personal information. Similar to GDPR, businesses will need to adhere to CCPA regulations regardless of where they are located.
With the surge of massive data breaches and stolen identities in recent years, many consumers have become justifiably concerned about protecting their personal data. Just like in the E.U., consumers are seeking more transparency into and control over not only what information companies have on them but also how those organizations are using that data, including who they’ve sold it to. This latest legislation gives California consumers the right to demand that companies provide that information and, if asked to do so, completely erase it.
Starting in 2020, California residents and households will officially own their data, not the companies who have collected it. And for the first time, they will be able to exercise their data rights twice a year. If companies do not comply within a 45-day window, they could be on the hook for up to $7,500 per user violation, with no ceiling. With the potential for a significant amount of lost revenue, companies need to be ready. But the impact goes far beyond regulatory non-compliance fines.
Related Article: Accepting Privacy as a Customer Experience Issue
Data Privacy Regulation's Direct Impact on CLV and Revenue
For more than a decade, the demand for data-driven decisions has exploded. Businesses of all shapes and sizes have relied on customer data to better understand their customers and build Customer Lifetime Value (CLV).
However, in this new regulatory environment, the data that used to be the asset of businesses will now become the property of consumers. Because organizations will be expected to continue to deliver results with potentially much less data, businesses will need to improve their insight-driven practices and achieve greater accuracy. In fact, every irrelevant future customer interaction will put organizations at risk for CCPA-driven complaints. In this new data privacy environment, the behavior of the business really matters.
Related Article: Data Privacy Regulations: Marketing Symptom, Setback, Solution
CCPA Is Only the First Domino to Fall
CCPA is only the first of many legislations to come in the US landscape of consumer privacy and protection. In the absence of an overarching federal regulation, many states are taking initiatives to pass their own individual data privacy laws, creating a varying and complex data privacy environment for businesses. In fact, states including Hawaii, Massachusetts, Maryland, Mississippi, Nevada, North Dakota, New Mexico, New York, Rhode Island, and Washington are already introducing bills to the U.S. Senate.
Though there’s likely to be some overlap in similar legislation across state lines, the probability that each state legislation will be carbon copies of the CCPA is close to zero. Each will likely have its own specific sets of terms and conditions. This will make trying to keep track of all the future regulations’ policies virtually impossible without the right solution to handle all of the permutations at scale.
The prospect of adding CCPA to the regulatory mix may already be giving technology, data privacy, and compliance professionals night sweats. But now imagine dealing with dozens of similar-but-different state data privacy regulations in rapid succession. This has the potential to turn the way businesses think about customer data upside down.
Related Article: Where 8 US States Stand on Consumer Data Privacy Laws
The Great Orchestration Challenge
When considering how to orchestrate the processes necessary for CCPA and future data privacy regulations, relying on spreadsheets or simple ticketing systems is not going to cut it. The great orchestration challenge centers upon creating new, closed-loop processes for the CCPA and each upcoming legislation. It’s not just about knowing the data sources. It’s about knowing how businesses will go about getting their work done — how they will initiate, automate, track and report on each and every compliance event across the enterprise.
Consider a business that devises a strategy to solely address California’s requirements but then gets a massive set of requests from customers after, say, Massachusetts passes its legislation with its own specific conditions. Once this ball gets rolling, other states will likely follow in swift succession. Without proper planning and automation, this could lead to detrimental consequences in terms of inefficient resources, risk exposure, revenue loss and a lack of customer trust.
The best and most cost-efficient approach is to implement a single cohesive strategy that can orchestrate compliance processes from end-to-end while also allowing for specialization and modifications as the regulation landscape continues to change. Essentially, businesses should consider implementing their legal strategy by establishing a system to manage the systems that reaches across all impacted and disconnected existing data infrastructures.
This type of system will most often include capabilities such as case management, process orchestration, robotics and automation in a unified architecture that can mitigate all this complexity. This provides the central backbone for implementing a business strategy that closes gaps in compliance technology strategy and automating workflows while allowing the flexibility to change as the new laws come on the books.
Related Article: California's Data Privacy Law: Taking a Page from the GDPR Playbook
Take a Deep Breath
With the CCPA and other future regulations looming, it may seem like the sky is falling — but the future doesn’t have to be so bleak. In fact, it can be a golden opportunity. The key is to understand what the challenges are and address the issues head on now.
Instead of being laser-focused on CCPA, companies need to take a deep breath and see the bigger picture. Develop a multi-dimensional technology strategy that puts the bedrock in place to prepare for CCPA readiness as well as any upcoming legislation. With the proper technology foundation, companies don’t have to reinvent the wheel with every new policy. Instead they can be ready to comply in weeks.
Taken a step even further, those who view this as a single compliance exercise may miss a chance to gain a significant market advantage. Flat-footed competitors may get stuck in a data-deletion death spiral that only diminishes from the customer experience itself.
The question is, will your organization be prepared with a flexible and scalable solution to not only address these new rules but also swoop in and pick up the pieces from those that aren’t?