It’s April 2019 and the clock is ticking on the next major mandate for customer data privacy and protection, scheduled to arrive in just a few months. The California Consumer Privacy Act (CCPA) officially goes into effect on Jan. 1, 2020, yet many businesses are still sleeping at the switch.
If the European Union’s General Data Protection Regulations (GDPR) taught us anything, it’s that achieving compliance is likely going to take a lot longer than you may think. Recent research by PwC estimates only about half of US businesses affected by the CCPA expect to be compliant by the deadline.
Who Should Be Worried About CCPA?
Not every business needs to worry about CCPA; however, most large businesses will be in the cross-hairs if they meet just one of the following three criteria annually:
- Earn revenues greater than $25 million.
- Buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices for commercial purposes.
- Derive 50 percent of annual revenues from selling consumers’ personal information.
The full details and fine print may be found at www.caprivacy.org. But what this means is if your business is actually impacted, due to your size and scale, the scope and effort required to achieve compliance could be considerable.
And contrary to popular opinion, CCPA does not only affect California-based companies. It’s quite the opposite. It is any business that does business in California, and thereby potentially possesses a Californian’s personal data.
Like GDPR, businesses must adhere to CCPA regulations regardless of where they are based. Case in point: Google, a US-based company, was recently among the first to be fined under GDPR, incurring a 50 million Euro fee for noncompliance to GDPR. The very same dynamic will be at play with CCPA.
Related Article: California's Data Privacy Law: Taking a Page from the GDPR Playbook
Consumers Are Reclaiming Their Data
In broad strokes, CCPA empowers California residents with ownership and control of their personal data. At the same time, businesses are required to meet a higher standard for data security by holding them accountable for safeguarding customer information. These standards include, but are not limited to, providing consumers with the right to:
- Know all the data a business collects on them.
- Instruct the business to delete personal data.
- Say “no” to the sale of information.
- Sue companies who collect data if the information is stolen or disclosed pursuant to an unauthorized data breach (and the company is deemed careless or negligent in protecting customer data).
- Request an understanding of which third parties may have their information and prohibit businesses from selling data to third parties.
Dude, Where’s My Data?
The first challenge for businesses may seem simple on the surface: determining where all the impacted data actually resides. But this is anything but simple. These records are strewn across siloed systems and databases that have been built over the years. And even after they accurately find it all, assembling this data for those that want to see it will be even harder.
Consider that for the past decade or more, most businesses have been chasing the utopia of achieving a “360-degree view” of each of their customers — and have not yet succeeded. Now, with regulations like CCPA and GDPR, they must be able to assemble this view on-demand — and for the first time — provide it directly to their customer.
To comply with CCPA, businesses need to go beyond just having a plan and a process. They need to document their plan, demonstrate how it will be executed and, most importantly, find a way to prove it was done. And for those impacted, it will all need to be executed at scale.
Related Article: Marketing's Chicken or Egg Silo Problem
Compliance Will Not Come Out-of-the-Box
While technology will enable compliance, it will not come “out of the box,” no matter what any provider may say, as every data and technology landscape is different. Similarly, many businesses’ legal interpretation of what constitutes compliance will vary widely from another, even within the same industry.
Every business has data everywhere, spread across multiple CRM (and related) systems — often reaching upwards of 50 or more locations where customers’ personally identifiable information (PII) is held. And unfortunately, much of this infrastructure does not work together because it never had to — until now.
So one of the key questions businesses must ask isn’t whether they have “a system” to manage CCPA compliance. It will be whether they have a system to manage the systems.
This is because the primary CCPA challenge is one of orchestration. To close this gap, many businesses are now looking to technologies such as case management for the orchestration of CCPA processes, just as they have done with GDPR. This approach allows them to document their interpretation of the path to compliance directly within software, and then, automate the execution of the process from the very moment it is established, while leaving a complete audit trail along the way.
Together with API integrations across this process, other technologies such as robotic process automation (RPA) and robotic desktop automation (RDA) can further connect disparate data together (and rapidly). Robotic automation can integrate into the systems and databases where no APIs exist and would otherwise remain out of reach. This brings automation from end-to-end, saving tremendous time and effort.
With the right process-oriented technology in place, businesses can better wrangle data chaos and comply with the new wave of regulations being created to protect consumers.
So, the question remains: is it already too late to meet the CCPA deadline?
Thankfully, it’s still possible to prepare for and meet the January 2020 deadline for CCPA compliance — but the time to start is now.