CCPA Compliance Requirements: Doing Well By Doing The Right Thing
The California Consumer Privacy Act (CCPA), the sweeping piece of legislation designed to enhance the privacy rights of California consumers, was signed into law more than 18 months ago and enacted on January 1 of this year. How is it that many companies doing business in California are still not compliance-ready?
This is a bad state of affairs for a few reasons. For starters, according to Forbes, California would be the fifth-largest economy in the world if it were a country. Chances are that most businesses in the developed world have customers in the state. Noncompliance could carry a hefty price tag. Fines can be imposed for each infraction and can reportedly cost between $100 and $750 per incident, or the cost of actual damages — whichever is greater. That is the “stick” part of the CCPA. The “carrot” is that taking steps to ensure compliance can have very positive effects on businesses.
CCPA compels companies to tell consumers what kind of personal data is being collected about them and if it is being sold to third parties. And it reportedly enforces the choice to opt out and the “right to deletion”, albeit with certain restrictions. None of this is unreasonable.
Today’s business data comes in through multiple customer touch points, resides in multiple silos in multiple formats, is accessed through multiple applications, and moves to multiple data lakes, data warehouses, and other storage systems and applications. There are technologies (full disclosure: my company offers some) available to do what’s needed to ensure compliance, and those same tools – when combined with changes to the corporate mindset and business processes and the right enterprise data strategy — can achieve much more.
For example, one elusive goal for corporations in most industries is customer 360, which involves gaining a comprehensive view of their customers to understand their behaviors, intents and preferences while staying within privacy boundaries. This understanding can help companies drive proactive and personalized engagement with customers through marketing, sales, service and other points of interaction.
A plethora of technologies promising a customer 360 panacea regularly hit the market. Too often, however, they are legacy technologies “repositioned” for the hot CX market, but unable to meet the requirements of a multichannel, big data world, or the needs of today’s regulatory environment. And startups may have the sizzle, but not the steak. Staying on the right side of CCPA requires companies to put customers at the center of their business. Here are a few tips for adjusting to a post-CCPA business world beyond utilizing technology solutions:
1. Determine if your company is subject to the CCPA. All companies that serve California residents and have at least $25 million in annual revenue, or companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenue from selling personal data, must comply with the law.
2. Work with your general counsel and legal team (not your IT team) to immediately put a compliance plan in place and follow CCPA’s recommended guidelines and requirements.
3. Learn from what worked and what didn’t work in the implementation of other privacy regulations, including GDPR, and use those learnings to streamline compliance with the CCPA.
4. Mitigate compliance risk and ensure you’re transparent about what you do with your customers’ data by updating your online privacy notice. This should reiterate your customer-first approach to business and allow you to retain more customers in the long run.
5. Appoint someone on your staff to manage the compliance processes.
Staying on the right side of CCPA requires companies to put customers at the center of their business, and I believe the ones that do it right will find themselves closer to more data-driven, hyper-personalized customer engagement than they ever thought possible.
CCPA is similar to the General Data Protection Regulation (GDPR), which takes a more heavy-handed approach throughout the European Union (EU) and the European Economic Area (EEA). GDPR went into effect in May of 2018, and it’s clear that many large corporations, and plenty of smaller ones, were not ready for that either. Major fines have been levied against organizations found guilty of violating GDPR regulations; notably, in 2019, Facebook faced a potential $2.2 billion fine. While myriad enterprises in a variety of industries have faced smaller sanctions, GDPR allows fines of up to €20 million ($22.34 million) or 4% of annual global revenue, whichever is greater.
It’s possible that at least some of the GDPR-related fines were imposed to make a point and that it worked. Many organizations woke up to this new reality of choosing between compliance and huge fines. CCPA will likely take a similar path — big fines for some big names and perhaps smaller ones for others that draw attention to the new reality of data privacy.
Corporate reputations are also on the line. Brand equity and the bottom line may suffer after data breaches or reports of data misuse. As Information Age pointed out, “One of the biggest impacts following a data breach is the effect on the company’s reputation.”
The introduction of the CCPA portends a more perilous regulatory landscape in the United States. Several other states, such as Nevada, are considering or have already implemented consumer data privacy mandates. Some might become laws by the end of 2020. CCPA will likely be the reference point as these laws are crafted.
Even people who share every aspect of their lives on social media may be reluctant to share personal data out of concern that it will be stolen or misused. It’s ironic but true. Companies that take action to protect data are not only acting in the interest of customers but themselves, too. There’s plenty of content that suggests ensuring GDPR compliance can make companies more trusted and boost the bottom line. Viewed from this perspective, the CCPA can be a catalyst for positive change that can strengthen an organization’s relationship with its customers, community and key stakeholders.
This blog was originally posted on Forbes