The European Union’s General Data Protection Regulation (GDPR) has generated ripple effects on a global scale. In the United States alone, more than 100 bills on data privacy have been proposed, and talk of a national data privacy law is picking up steam.
We believe a federal law that provides a uniform standard would help harmonize a fragmented landscape of laws that vary by sector and state. We encourage our clients and partners to consider participating in the various coalitions proposing frameworks for a national law, including the U.S. Chamber of Commerce, the Business Roundtable, the National Business Commerce Coalition of E-Commerce and Privacy, the Association of National Advertisers, and the Privacy for America Coalition.
Ultimately, however, all these proposed laws and regulations are merely hypothetical at this point. There are actual laws with enforcement dates rapidly approaching that businesses must prepare for in earnest — none of which looms larger than the California Consumer Privacy Act (CCPA).
A Brief Overview of the CCPA
At a high level, the CCPA requires covered businesses to provide California residents substantially increased notice, access, and control of their data. It requires consumer access for three types of information: 1) data collected, 2) data sold, and 3) data disclosed. Check out Acxiom’s dedicated CCPA page for a deeper dive into the law.
There is no doubt that preparing to comply with the CCPA will be a significant undertaking, akin to changing the tires on a moving car. Unfortunately, there is little time to prepare. The January 1, 2020, effective date is rapidly approaching.
How to Start Preparing for the CCPA
While additional amendments and implementing regulations are expected, businesses should not take a “wait and see” approach. Although CCPA’s enforcement date begins in 2020, it gives consumers the right to request access to data collected about them during the previous 12 months, which means businesses must be able to provide information from as early as January 1, 2019.
Many enterprises that do business in the EU dragged their feet with GDPR implementation, hoping for amendments that would lighten their administrative burden. Those amendments never came, so businesses facing a similar situation in California should not make the same mistake.
It can be difficult to know where to start with such a broad, sweeping law. If your business has already achieved GDPR compliance, the good news is you do not have to start from square one. Much of what’s required in the CCPA was required by GDPR, although differences exist. For instance, CCPA’s definition of personal information is broader.
To begin the process of CCPA compliance, our clients should begin auditing and categorizing their first-party data. Start by conducting a thorough inventory of your customer data and how this flows into, out of, and throughout your organization. It’s critical to examine the collection and use of this data to determine whether your organization follows ethical data sourcing and use practices.
With a holistic view and understanding of your data, you can begin categorizing it into the CCPA’s 11 categories that constitute personal information. Among other things, covered businesses must be able to provide California consumers who make access requests a report showing the categories of personal information and “specific pieces of information” the business has collected, and the categories of personal information and third parties for the data it has sold or disclosed. Establishing categorization frameworks is the first step in creating processes to respond effectively to consumer access, opt-out, and deletion requests.
CCPA compliance will be a long, arduous journey, so it’s critical to start now with these two foundational building blocks. Ultimately, the benefits of your efforts will stretch far beyond regulatory compliance. They will build consumer trust and enhance your ability to turn good, clean, trusted data into exceptional customer experiences.
Learn more about how to achieve compliance readiness in this new data governance eBook.