Create a CCPA strategy that enables your organization to comply
Companies remain as confused as ever about how best to comply with the California Consumer Privacy Act, the act that enhances privacy rights and consumer protections for California residents, which goes into effect on January 1, 2020.
For most organizations, the overriding questions are how big is the CCPA transition going to be; how much interest will consumers have; and how many will click the Delete My Data button?
Given the unknowns, debate is underway at most companies about the benefits of fully preparing now for CCPA versus taking a wait-and-see approach on whether the regulation will take effect.
Make no mistake: Although several amendments have been signed into law, CCPA appears to be moving forward. With this in mind, it’s important to take a health check of one’s organization and be prepared to comply with the coming regulation. Don’t be the company that tests the legal parameters.
While compliance requires time and money, CCPA also offers a couple of bright spots for organizations. One is that companies can repurpose the teams, action plans and structure they assembled for the General Data Protection Regulation (GDPR). The other is that compliance with CCPA won’t be a one-off effort: With privacy legislation pending in multiple states and jurisdictions, CCPA is just the beginning of state-level privacy regulations.
In preparing for CCPA, your organization will want to build a compliance roadmap for CCPA that’s strategic in nature and readies it for the future. Consider the following steps:
Determine how your organization will restructure data from the customer journey
Most companies can draw the general outlines of where and how customers interact with them. CCPA, however, requires details. Not only does touchpoint data need to be in a readymade format so personal information is easy to retrieve, but responsibility must be assigned for gathering it.
Some companies are assigning IT the task of collecting and structuring customer data. Others take a distributed approach, using a pitcher-catcher model in which divisions gather data and pass it to IT for restructuring. CCPA’s requirement for returning information to the customer brings a 2-way flow to a process that has traditionally been one way. It’s creating a new channel. The key for companies is to structure data in a way that allows for transparency and builds trust in their brand.
Evaluate the complexity of your data environment
Data gathering pulls from radically different sources, from customer edge touchpoints to backend databases and everything in between. Getting a handle on the complexity of your environment is the first step to scoping out the work CCPA has in store for you. How will you manage data requests and address data-collection points and information-sharing policies such as API integration?
Keep in mind CCPA makes it legitimate for customers to request details on any interaction around client-facing applications, including customer forms, workflows and cookie policies. On the backend, you’ll need access to logs that track customer interactions such as security applications for authentication.
Develop an overall strategy for managing customers’ personal information
CCPA is likely just the first of many state privacy regulations with which your company will have to comply. New York has pending legislation, which is widely considered to be bolder than California’s, and privacy legislation is similarly pending in Arizona, Washington and New Jersey.
While we find clients are cautiously awaiting new regulations, we advise looking for crossover among the different state regulations. The expected rollout of more bills over the next 12 to 24 months means that the heavy lifting you do to prepare for CCPA will be reused in the coming month to accommodate other legislation.
Establish a Data Protection Office
Governance and change management are an essential part of CCPA compliance for every company. Establish a central office to ensure sponsorship from senior leaders and facilitate funding. The data protection office can coordinate all supporting programs and projects going forward. It enables your organization to achieve compliance in a strategic, comprehensive way.
Conversations about CCPA have evolved from if and when to comply to how. CCPA is on, and the big unknown now is how much of an opt-out culture is waiting. Don’t wait until it’s too late to find out.