CCPA Compliance: Overcoming Internal Objections

CCPA Compliance: Overcoming Internal Objections
Photo by Conor Luddy on Unsplash

In June 2018, California passed the strictest data privacy law in the history of the United States: the California Consumer Privacy Act of 2018. As businesses of all sizes consider how to align their operations with the new law’s requirements, internal champions of compliance efforts sometimes encounter resistance — misperceptions of the regulation that can delay or even obstruct their readiness efforts.

Here are three common objections you may encounter within your organization when you request people, budgets, or resources to help you prepare for CCPA — and strategies for overcoming them.

1. “CCPA doesn’t take effect until January 2020, and it may change. We’ll worry about it closer to 2020.”

January 2020 may seem like a long way off, but it marks just 18 months from the date the law was passed.

If complying with CCPA were a matter of tweaking your website and adjusting a few policies, postponing your readiness efforts for a year or longer might make sense. However, to be ready for the regulation, you need a firm grasp on how your company handles personal data — where you store it, who has access to it, where it goes (internally and externally), and how you use it — and this included both structured and unstructured data. Any undocumented processes or “black holes” in your personal data management could cause trouble for your organization when CCPA goes into effect.

As for the possibility that the law will change between now and January 2020, the California legislature has already released several amendments in SB 1121, most of which are technical corrections and clarifications of the original bill’s verbiage. We will probably see more amendments before the law takes effect, but it’s highly unlikely that those revisions will fundamentally affect the basic requirement to understand your data and disclose how you’re using it.

Also, consider an often overlooked requirement of CCPA that may cause resistors to rethink their perspective. Section 1798.130(a)(4)(B) of the law states that a business must

Identify by category or categories the personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in subdivision (emphasis added)

The same 12-month lookback requirement applies to personal information “that the business disclosed for a business purpose” (Section 1798.130(a)(4)(C)).

So if a customer calls on January 2, 2020 asking for the categories of her personal information that you’ve sold or disclosed, you’ll need to track your disclosure activity back to January 2019. Would your organization have the capability to respond to this request promptly and accurately? If not, the time to implement that functionality is now.

2. “You don’t need additional funds — handle it with the people and budget you already have.”

Preparing an organization to comply with CCPA is a not a small task — and not something most teams can accomplish when they have a little extra bandwidth here and there. An effective readiness program requires the time and effort to

  • Find all of your data
  • Analyze how your organization processes personal data and the business reasons for processing data across all business lines
  • Determine how your organization will respond when data subjects exercise their rights, like requesting that their data be deleted
  • Train the appropriate personnel on their responsibilities in helping your organization comply
  • Develop a governance plan for maintaining your organization’s compliance as your business changes

It is very rare to find a company that has a complete picture of where all of their personal data resides — including both structured and unstructured data — and for many companies, this can be a major undertaking that requires dedicated time and the right resources. These right resources may include people from IT, InfoSec, Legal, and the majority of your lines of business. If your team is trying to take this on in their spare time, you may face a long and difficult road ahead of you.

3. “We’re already compliant with GDPR, so we’re in the clear for CCPA.”

While some pundits are calling CCPA California’s version of “GDPR Lite,” there are key differences between the two regulations that all businesses should consider.

For example, CCPA broadens the definition of “personal information” to encompass any data “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (Section 1798.140(o)(1)). In addition to traditional identifiers such as name, address, and social security number, CCPA encompasses biometric information, internet activity (including browsing history), geolocation data, audio or visual information (face and voice recognition), and other areas not specifically covered under GDPR.

Also, many companies complied with GDPR by adapting their data management procedures or segmenting their data for EU residents and customers. For these companies, complying with CCPA will require a full review of their data processing activities to ensure that they support the rights of California residents as well.

For those companies fully ready for GDPR, compliance with CCPA will be much easier; however, creating the right governance to stay on top of compliance as your business and the regulations change will be critical to your success. Technology will continue to evolve — and your business won’t stand still, either. There are many triggers that may require you to update your data processing records, like mergers or acquisitions, new applications or processes, or new analytics or reporting initiatives, just to name a few.

In addition to watching for triggers, you also need to ensure that your team can execute against the rights given to your consumers and employees — such as honoring requests for erasure and reporting data breaches — within the required time frames whenever the need arises.

Preparing for CCPA is no simple task, so the sooner your organization can assess your risk, identify your gaps, and put a plan in motion, the better off you will be when the enforcement date arrives. By overcoming internal objections and educating your team on what needs to be done, you can set your organization on the path to compliance, allowing plenty of time to put the necessary controls in place.

Primitive Logic has more than 30 years of experience in governance, data architecture, integration, data security, and compliance — all critical areas in preparing for CCPA and GDPR. If you have any questions about these regulations or if we can help you in any way, just give us a call.

Follow Kevin Moos on Twitter at @KevinMoos.

Kevin Moos, September 2018