CCPA Gets Real: Finding Your Way Out of the Weeds
The California Consumer Privacy Protection (CCPA) comes into effect in a matter of months, and earlier this month, California Attorney General Xavier Becerra issued highly anticipated initial guidance on how to operationalize the law: it’s of particular interest because the AG’s office will be responsible for enforcing the law. The Regulations may have introduced some uncertainty, but definitely have amplified the anxiety on how best to prepare for CCPA – and beyond.
From the specific to the general
Initial reviews of the Regulations were not universally positive, but the focus quickly swung to the practical repercussions of the Regulations. What is notable that the Regulations move from down in the weeds to the forest’s ecosystem.
For instance:
– the Regulations are very specific about how covered enterprises should verify the identity of non-account holders for requests for either PI categories, or the specific PI that has been collected about them.
– the Regulations provide extensive details on where and how buttons to facilitate “Opt-Out” or “Do Not Sell” requests should be displayed on corporate websites
– And – probably even more significantly – the Regulations now stipulate that companies will have 15 days to implement the opt-out of data sale requests.
Meanwhile, the California AG’s office elaborated in the attached Statement of Reasons that the law’s intent is to restore consumer control of their data and ensure transparency in “how businesses collect, use, and share personal information and on what businesses must do to comply with the CCPA.”
Transparency, in this sense, is more than the sum total of the parts.
The road to ruin is paved with good intentions
Because privacy compliance is an emerging area for the US, the practical focus in the near term will likely be on the weeds: making sure the necessary notices, policies, and request routing processes are in place. All of these elements are obviously necessary steps, but keeping the focus on the weeds runs the risk of losing sight of the forest – which is the intent of the law.
Even if companies can get the details right, they may fall into the trap of only getting the details right – at the expense of building programs that are repeatable, demonstrable and sustainable.
For example, using language that is clear and explicit in the initial privacy notice is critical. But without data-driven insights on how the data is being used in the context of a business process (and being able to flag if the data is used for another purpose), then the transparency is limited to the privacy policy only.
The shifting guidelines also point to the pitfalls of a manual approach that will constantly be in catch up mode and repeatable only if the Regulations remain static. If enterprises aim to make privacy a key operational principle and corporate value, they will need to avoid being mired in a cycle of expensive and disruptive changes simply to keep up with evolving Regulations.
To work toward a sustainable, repeatable, and demonstrable privacy operationalization strategy, enterprises will need a solid foundation in place that is automated and extensible. This is where cohesive, privacy-aware data intelligence comes into play.
A jungle or a garden?
Cohesive data intelligence enables enterprises to adapt when new requirements emerge so the changes don’t massively throw the ecosystem out of balance, and undermine privacy strategies with corporate stakeholders.
Let’s look at a few examples to illustrate the point.
For instance, in the case of verifying data access requests for non-account holders, enterprises must be able to take two or three data points (depending on the nature of the request), and filter through thousands or even millions of individuals to narrow down on a specific consumer, and then respond with a report that is clear, comprehensive and current.
Likewise, for responding to opt-out or do not sell requests, enterprises will have to be able to:
– verify the identity of the specific individual making the request
– determine what data categories and attributes are being collected in the context of a specific business process or data flow for that individuals
– identify with which third parties the data is being shared, transferred or sold
– cease data sales and transfers for a year, or until the consumer opts-in to data sales again
What the Regulations now stipulate is that all of these steps should be performed and completed within the space of 15 days.
Both of these examples point to the complexity of taking a manual approach – cutting through the jungle with a machete by way of analogy – that is the exact opposite of repeatable.
When enterprises maintain up to date, granular and specific views of whose and what personal data they collect and process that are fed by automated discovery and classification – even at massive data scale and complexity – they can leverage this identity-centric view based on data intelligence to respond accurately and quickly. And, analysts can verify the identity of non-account holders in a simple query based on this identity-centric view – rather than get bogged down for days.
Likewise, when a consumer makes an opt-out request, this identity-centric view allows analysts to pinpoint exactly whose data, what types of data, for which data flows and associated third parties data sales must be suspended.
Plus, the incremental effort required to adjust to new requirements is minimized, since it’s a matter of changing how reporting is done, not how privacy operations are implemented. And, the data intelligence work done for privacy strategy and compliance can be easily translated to areas like data analytics, governance, and security – rather than remain confined to privacy compliance alone.
With cohesion between data intelligence and data rights management and advanced reporting, then enterprises can radically reduce the complexity of separate, stove-piped steps.
Looking toward the horizon
There’s no doubt that complying with CCPA will involve dealing with the specifics of the CA AG Regulations. The broader challenge that our customers are engaged with is moving from reactive mode towards making privacy protection integral to their business and corporate values.
To get the details right and ensure that they elevate from the weeds to tend their garden, they see that operationalization needs to be directly informed by privacy-aware data intelligence. To make a commitment to privacy protection a practical reality, they start with an identity-centric view across all their data and then leverage these insights delivered at scale to manage, govern and protect personal data – as well automate the latest CCPA requirements.
This is precisely the objective that BigID was founded to achieve. We’ve helped companies who see compliance as a stepping stone to a comprehensive privacy strategy, and who see the hurdles of a reactive mode standing in the way of that goal.
To learn more about BigID’s approach to automating CCPA compliance and privacy-aware data intelligence, download our white paper here.