california flag
Ian Lowe Posted by Ian Lowe May 31, 2019

5 moves to make now for CCPA Compliance

Are you ready for the arrival of the California Consumer Privacy Act (CCPA)? If so, congrats on your prudence and preparedness! 

Not quite ready yet? Then you’re like a lot of businesses, some of whom probably don’t even know there’s a CCPA compliance deadline looming: January 2020.

“That’s plenty of time,” an optimist might say. But there’ll be plenty of ex-optimists among the half of U.S. companies who won’t be CCPA-compliant when regulators start searching for scofflaws.

In the post, “The CCPA and GDPR: Are they obstacles or opportunities?,” we dug into the distinctions between the CCPA and the GDPR, and the impacts the California legislation will have on consumer privacy and corporate operations. Regulations like these are weather vanes showing the shift in consumer attitudes toward data privacy. It’s a change in the wind that companies need to understand and accept, and even profit from if they prove they’re trustworthy when it comes to customer data.

For companies that want to be compliant, there are five moves they should make to start down the road toward CCPA readiness. And they’re all moves they should be rolling on right now.

Get started today (because you’re already running late)

Crownpeak’s Gabe Morazan, a certified information privacy professional/Europe (CIPP/E) and director of product for Crownpeak’s Digital Governance solutions, explains one reason companies should hit the ground running: They’ll have to audit  their data-based operations and systems, and that’s the kind of job that’s probably bigger than they suspect.

“Because there’s very little understanding and top-down management of systems with regard to privacy; when you begin to audit systems, you begin to realize the complexity of it all,” he says. “These systems are all so intertwined that user information is scattered across 50 databases, and each of those is linked to 50 more, and so on. It’s almost a quarter’s worth of work to just dig in and analyze the impact. Anyone who went through GDPR will tell you, ‘I wish we’d gotten started a lot sooner.’”

 A company should be identifying and classifying the personal data it already has on hand, evaluate its data governance policies and procedures, assess its privacy controls to see if there are CCPA compliance gaps, and draw up a roadmap for addressing those, especially if it involves updating processes and technology. According to PwC, a third of the companies surveyed were conducting just such a self-assessment process, but only a quarter had completed it.

Copy your GDPR homework

The same investments a business has made in GDPR compliance are likely to be a good foundation for CCPA compliance. That’s because they both follow common principles about transparency, the individual’s right to access or delete personal data, security, and the penalties for violations. 

So the IT and data governance measures taken to comply with GDPR can be used as a starter framework for CCPA compliance as well. Like implementing privacy by design, mandating audit trails around personal data usage, setting up response capabilities for answering requests for data access, deletion, transfer, and so on. Though keep in mind there are unique differences between the two so be sure to consult your legal team.

Wait, you aren’t GDPR compliant yet? You’re hardly alone. Still, EU regulators levied €56 million in fines in its first year, even if most of that came from Google.

Build a compliance-focused culture

Creating a “culture of compliance” where everyone from the C-suite on down obeys corporate policies is a buzzphrase among risk management pundits nowadays. The kind of compliance architecture that ensures even Intel CEOs have to toe the line should be applied to information governance and data privacy, too.  Not just to police CCPA compliance, but to build understanding among employees, stakeholders, and others about how that compliance is good for business.

A centralized management officer and team should be assigned to oversee implementation of data privacy and regulatory compliance measures, review and implement relevant technologies, educate employees about compliance, and draft new policies if needed. This shouldn’t be a pro tem initiative, but an ongoing function. Especially since the CCPA, just like the GDPR, isn’t the end of the regulatory road. Probably not by a long shot.

Stay ahead of regulation

“It’s going to be a considerable problem for companies to deal with future regulation,” Morazan points out. “A platform like Google links as many systems and platforms as possible; now that’s an issue, as all that information has to be decoupled, since different end users in different locales are going to be operating in different regulatory environments, in a real patchwork of regulation.”

At least eight states have data privacy bills under consideration, according to Bloomberg Law.  Are they all more or less identical to the CCPA? Of course not.  Will the federal government step in and simplify the situation by passing blanket legislation to save companies from this regulatory crazy quilt? Don’t hold your breath.

Even the CCPA isn’t locked and loaded yet. There are amendments being proposed that would make fundamental changes to the law, so the CCPA you’re prepared for today might not be the regulation you have to satisfy tomorrow.

The best defense against all this potential regulation? Knowing what’s on the way.  By proactively and recurrently surveying this complex, state-by-state, nation-by-nation legislative landscape, you’ll help make sure your company doesn’t get caught flat-footed. 

Adopt a Universal Consent Platform

Is it self-serving to suggest this? Maybe, but it’s nevertheless a good solution for companies confronted with a maze of disparate regulations across multiple borders.  Even if they’re operating in a limited number of locations, the legislative patchwork we’ve described can generate migraines if you’re not automating compliance.

A best-in-class Universal Consent Platform will, for starters, alert your site users to first- and third-party data collection and enable them to give and withdraw consent.  It’ll also make sure you (and users) always know who all those third parties are, as it crawls your site to update your vendor list, and protects your company by preventing non-essential tags – which can dangerously proliferate across a website over time – from firing without explicit user consent.

A platform like this creates powerful bottom-line efficiencies for a company, reduces risk, and builds stronger trust with consumers or customers.  And in the end, that bond of trust is really all they’re asking for.