CCPA compliance begins with data inventory assessment
In this SearchCIO Q&A, multiple experts sound off on major questions businesses have about CCPA compliance ahead of its January 2020 enforcement date.
Driven by the global call for increased consumer data privacy, the recently passed California Consumer Privacy Act bolsters consumers' rights by constricting the collection and sale of their personal data. The act will impact business processes and practices of many companies operating in California -- and it's already causing CCPA compliance anxiety at these organizations.
With CCPA implementation deadlines approaching, corporations are beginning to assess the potential effects of compliance and how best to begin. We asked a bevy of legal experts and analysts to sound off on the future of CCPA in 2019 and beyond.
Editor's note: The following has been edited for clarity and brevity.
Should companies already be assessing their CCPA compliance?
Arshad Noor, CTO, data protection company StrongKey: If [companies] have already prepared for GDPR, they have the foundation -- and perhaps more -- for dealing with CCPA. They will only need to do what is specific to CCPA that is not already addressed by GDPR. For those who do not need to comply with GDPR but who meet the criteria for compliance in CCPA, they will need to start the process for CCPA compliance. If a business does not already have someone, the first step is to identify someone within the company to own the implementation for compliance.
Daniel Messeloff, partner, Tucker Ellis LLP: Companies should start now in assessing their own data privacy practices so as to comply with whatever the final product of the CCPA will be. The law -- in one way, shape or form -- is going to be enacted, and there are certain broad measures that companies can investigate and implement now.
Dan Essig, analyst, Gartner: Many legal and privacy teams we work with are using this as an opportunity to engage the business in a dialogue about data minimization. Laws like the CCPA require companies to think harder about the balance between the business rewards of collecting and using personal data and the very real risks of misusing or mishandling that data once it's been collected.
How can companies begin to assess their CCPA compliance? What's a starting point?
Erin Illman, partner, Bradley Arant Boult Cummings LLP: Companies should start by determining what personal data is collected from California residents, determine the purpose for the collection and identify what data is disclosed to third parties and the purpose of the disclosure. A company must first understand what data it collects, uses, stores and shares with third parties in order to begin to build a compliance program.
For example, CCPA requires specific disclosures, including categories of personal information collected and how the information is used. Without fully understanding all of the avenues from which data is collected and the corresponding purpose, a company cannot begin to operationalize those disclosures. By starting a data mapping and categorization exercise now and by determining whether the personal information needs to be collected or is being collected for a legitimate purpose, a company can streamline its business practices to simplify compliance and reduce liability prior to having to operationalize the requirements of CCPA.
Messeloff: The two best ways that companies can start assessing their compliance with the law is, first, determine if the law actually applies to you, and, second, determine what data you are handling. For the CCPA, companies should make sure that they are subject to the law. If they are, then they should have a meeting with their operations people, their marketing people and other department heads and figure out just what information they are storing for individuals. Once that 'data mapping' is done, they can figure out what to do with the various types of information.
Shaun Jamison, associate dean of faculty, Concord Law School: They can create simulated requests from regulators or consumers to see if they are complying and if they are able to meet specific requirements. They may wish to hire an outside vendor to audit their compliance as well as conducting internal reviews.
What is the greatest challenge that faces companies on the road to CCPA compliance?
Illman: There are ambiguities in the current version of the law that are going to require interpretation and guidance. Compliance with CCPA represents a major change in how most businesses operate and manage data. Companies will need focus on fully assessing their data collection, use and storage practices and thoughtfully analyze those practices against the requirements of CCPA.
Messeloff: The greatest challenge to CCPA compliance for companies at this time is the uncertainty of what the final requirements will be. The law will be modified, developed and finalized over the course of 2019, so it will be practically impossible for anyone to say in February or March that they comply with the law because no one will know precisely what the law requires or prohibits.
Will we see an evolution of CCPA in 2019?
Illman: We can expect further technical revisions to the CCPA, which may provide clarity as to the scope, definitions and obligations. However, we are not likely to see substantive 'watering down' of the statute. Given the amount of work that many companies will need to undergo to comply with CCPA, coupled with recent survey results that indicate that about 50% of companies were not confident that their organizations would meet the 2020 deadline, we may see the compliance date extended or a grace period afforded.
Jennifer Newton, director of consumer financial services compliance, Kaufman Rossin: In 2019, we want to be on alert for the replication of the CCPA in other states. California is typically the trendsetter: States look to California to see what proposals might be useful in other states. In terms of CCPA, we'll probably see some attempt to get the act modified or amended on certain issues. We won't have to worry about enforcement because it's not operative until 2020 and the attorney general still has to set rules that clarify some definitions in the act.
Essig: In 2019 and beyond, I think it's reasonable to expect updates to the legislation, further legislation from other states, or even federal legislation. GDPR represented the first of many new global laws that enhance companies' data protection responsibilities. Laws proposed or enacted since, like Brazil's Data Protection Act, show that this higher bar is the new normal. While the specific jurisdiction-by-jurisdiction requirements might differ, building and maintaining a strong data privacy program is now an imperative for any company that does business globally or hopes to.