Personal data is currency in today's digital economy. More and more organizations operate via business models that monetize individual information. And up until recently, few regulations existed on how organizations could collect and use that data. In recent years, enterprises have had both the opportunity and cost-effective technology to collect vast amounts of employee and consumer data, and have used that data in ways that are intended to benefit their business goals. However, there have been few restrictions or requirements to be able to track, report on or even delete personal data.
So where are we today? We’ve already seen the impact the GDPR has had on organizations worldwide in terms of reevaluating their policies and processes to make data accountability integral to their operations. If I had my guess, I’d say we’re only at the tip of the global privacy regulation iceberg.
Enter the California Consumer Privacy Act (CaCPA). California, of all the states in the US, has long set the national precedent for consumer protection in the digital era. Now with the CaCPA, state legislators are setting the stage for a fundamental realignment of how companies doing business in the state (and by extension, the US as a whole) interact with customer data. While January 2020 seems like a far way off — when CaCPA is planned to go into effect — as we saw with GDPR, the vast majority of organizations procrastinated until they went into panic mode when it came to meeting compliance regulations by the deadline. History has a way of repeating itself, but in this instance, it would be wise to write a new chapter in regulatory preparation.
Without a doubt, the CaCPA will have an unprecedented impact on how companies engage with personal data. The time is now for organizations to make sure they’re prepared to meet the requirements of the Act, as well as the increasing demands from consumers for how their data is collected, protected and used.
Related Article: Why California's New Privacy Law Signals a Major Shift in the Privacy Landscape
3 Steps to Prepare for January 2020 Now
Organizations can embark on the following three key steps to be prepared for January 2020.
1. Preparation: Assess Where You Are Today
Organizations that have implemented GDPR requirements may be closer to compliance than companies who have not, but where you are today and where you want to be in 2020 will be different for every company. When creating your roadmap, it’s important to consider your company’s individual business strategy, corporate culture and values.
Further, the CaCPA is the first of its kind personal data regulation in the US. Some of its provisions, which include the Right to Know, Right to Access, Right to Disclosure, Right to Opt Out and Right to Delete, fundamentally change the definition of what’s considered Personally Identifiable Information (PII). Meaning regardless of whether your organization has prepared for GDPR, you will likely need to make updates to meet the CaCPA regulations.
2. Ramping Up: Build a Privacy Governance Program
Under the CaCPA, organizations will be required to map their data estate, identify all personal information as compared with the current standard of directly identifiable attributes, and clearly inventory the data by person and state of residence. This requires ongoing teamwork across departments, from legal and marketing to security, IT and the C-suite.
Completing all of the requirements of CaCPA manually will be impossible. For businesses large and small, especially those with many data stores, it is essential to leverage automated technology that enables:
- A clear understanding as to where data lives across the enterprise.
- The mapping of data flows to illustrate with what applications and systems, and with whom that data is shared.
- Easy contextualization of all personal information across the company based on an individual consumer’s identity.
- The facilitation of quick organizational responses to consumer access and deletion requests under the Act.
- Privacy assurance for auditing purposes and defending against lawsuits and regulatory actions.
Related Article: Marketers, Data Collection and the E-Word: Ethics
3. Maintaining Compliance: Effectively Manage Consent and Monitor Processing on an Ongoing Basis
Being compliant with the CaCPA is going to be an ongoing process for every organization. It won’t happen overnight, nor will it be perfect when the clock strikes on January 2020. Organizations need to continually assess and improve the controls they have in place to manage downstream uses of consumers’ data with the ability to monitor, manage and assure that appropriate consents have been obtained and the uses of personal information are appropriate. Smart companies will continually audit themselves on CaCPA requirements, with the goal to more effectively avoid the accidental sharing or selling of personal information without permission and thus the lawsuits, fines and reputational damage associated with missteps.
While the California legislature will continue to make amendments to the CaCPA before the January 2020 enforcement date, having the foresight to work toward compliance now may very well be the difference between an organization being able to handle consumer requests and avoiding crippling fines — or not.
Even if your organization is not impacted by the CaCPA, GDPR or any other privacy regulation, putting data privacy at the heart of your enterprise as more consumers, employees and shareholders demand it is simply good for business.
Related Article: What Is the California Consumer Privacy Act of 2018 and How Does it Affect Marketers?
Learn how you can join our contributor community.