Here we are, nearly a year to the day since GDPR regulations took effect and the impact has been felt all over the world. Google became the first high-profile company to be levied a fine — $57 million in that case. Word on the street is that Google failed to disclose to users how data is collected across its services.
And the United States appears poised to bring data privacy regulations of its own — starting with the California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020. It’s the first State-level data privacy regulation and it is pretty comprehensive.
If your organization is not already planning for CCPA, the clock is ticking. CCPA can be seen as a harbinger of things to come with ever more strict data privacy laws and companies with US-based customer and prospect data need to be aware of how they will be affected.
CCPA — Is it GDPR 2.0?
The similarities between the two regulations are undeniable. Like GDPR, California’s version gives residents rights around how their data is procured and used. The intentions of the Act are to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say “no” to the sale of personal data.
- Access their personal data.
- Equal service and price, even if they exercise their privacy rights.
And like GDPR, CCPA expands the scope of what exactly constitutes data that must be protected and accounted for. This excerpt from Wikipedia:
CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
There are fines for non-compliance like GDPR. Californians can bring civil action against companies that break the law. The State can also fine companies directly — a $7,500 fine for a violation not addressed within a thirty-day timeframe.
The reach of CCPA will be wide and far, much like its predecessor GDPR. The CCPA affects any business which does business in California, and satisfies at least one of the following thresholds:
- Annual gross revenues more than $25 million
- Owns personal information of 50,000+ consumers, households, or devices
- Earns more than half of its annual revenue from selling consumers’ personal information
How to Prepare Your Organization for CCPA
If your organization falls into one of the three categories mentioned above, you should start developing a plan to maintain compliance with CCPA regulations. Companies have been through this song and dance with GDPR and should be in a good position to make sure they are complying with similar CCPA mandates. Obviously, data security tops the list of first-line compliance measures, but what else should you be looking for? Here are a few key considerations:
Know Where in Your Information Ecosystem Personal Data Lives
Given that most organizations store information in four separate repositories, on average, the first challenge faced by organizations is mapping out where personally-identifiable information (PII) lives in their ecosystem. Information management solutions like M-Files can be a line of defense in combating this challenge. They can easily surface any overt (or less-obvious) occurrences of PII within multiple repositories, classify it and secure it. Furthermore, information management platforms can apply workflow rules to any incoming data the system identifies as potentially being PII to ensure that the data is in keeping with regulations.
Make it Easy (and Fast) to Retrieve
Under CCPA, your customers have a right to know what information you store about them. They can submit data access requests and companies are on the clock with a deadline to furnish that information. For any organization that doesn’t have a solid information management strategy, finding, accessing and retrieving that data could pose a problem. Again, systems like M-Files can make that process fast and painless by providing a search across multiple company repositories.
Take a Good, Hard Look at Your Current Information Management Strategy
When GDPR hit the scene, lots of companies — solution providers, consultants and others — promised a better path to compliance. Be wary. The best way to solve the CCPA problem is to stop focusing on that specific problem and start addressing your information governance strategy as a whole — with CCPA (and other data regulations) as a consideration. That way, companies can set the stage for a comprehensive, proactive strategy that has longevity, rather than a short-sided, reactive strategy that addresses one particular concern.
CCPA as a Template for Future State Regulations
Not so bold prediction: California will not be the only State to pass stricter data privacy regulations. Many states already have internet-related privacy laws but may be looking with a keen eye at how CCPA plays out and planning their next move.
It all adds up to one incontrovertible truth: Organizations need to be really good at managing their PII data. They need a solid information management strategy to stay ahead of the curve.
