The California Consumer Privacy Act (CCPA) went into effect on January, 1st 2020. It was the latest step compliance officers have taken into the realm of data privacy—but by no means will be the last. So let’s examine the rise of data privacy as a concern for corporate compliance officers, and what the arrival of the CCPA (and other consumer privacy laws) means for compliance officers (and how they perform their roles).
The Importance of the CCPA
First, the CCPA is important not just because it imposes a bevy of compliance obligations on companies subject to the law (although it certainly does that). The CCPA is also important for what it represents conceptually: the arrival of European-style data privacy in the United States, where personal information is property that belongs to the consumer, which companies must handle with a certain duty of care.
That makes privacy compliance a much more complex challenge. Companies need to think more about what’s best for the consumer as you handle personal data, as well as how to accommodate the consumer and the rights he or she might exercise under various privacy laws.
In short, businesses need to make a “culture of privacy” more of a priority, in much the same way anti-corruption regulators stressed the importance of a culture of compliance in the 2010s. A culture of privacy and security will be the watchword for the 2020s.
That’s the larger significance of the CCPA (and its European cousin, the EU General Data Protection Regulation) for compliance officers. It’s going to force deeper changes in business processes, policies, and corporate awareness of privacy—and any time we talk about changes in policy, procedure, and corporate culture, the compliance function is crucial to that.
Now let’s get more practical.
Compliance Capabilities for the CCPA
Compliance with the California Consumer Privacy Act is about a company’s ability to know what personal data it has, to track which third parties access data, and to deliver the rights consumers have under the CCPA.
When you translate those goals into capabilities that the company must have to get the job done, several emerge as the most important.
1. Data Management
The CCPA includes a list of specific types of information within the scope of the law—names, email addresses, photos, audio recordings, Internet search history, biometric data, and more—plus the catch-all “any information that can reasonably be associated” with a specific person.
So the most fundamental compliance capability is simply to understand what personal data your company collects. Where does that data enter your extended enterprise? What business processes touch it? What third parties touch it? Where is the data stored?
CCPA compliance means that the compliance function has visibility into those issues. Perhaps that wasn’t the case previously if your organization had low data privacy risks. Those days are fading fast. Businesses will need better data management capabilities, and compliance will need to understand those capabilities to assure that they meet the obligations the CCPA imposes.
2. Assessment and Monitoring of Third Parties.
Oversight of third parties is not a new capability per se, but the CCPA pushes the need for that capability to new heights.
For example, the CCPA draws a distinction between “service providers” and other third parties. A service provider receives personal data from your business as part of a written contract, to execute a specific task for you: write a legal brief, host a website, run payroll, and so forth. The CCPA exempts service providers from its provisions but sets out a list of criteria those parties must meet to qualify as service providers. Otherwise, they are third parties in the “normal” sense of the term, where the CCPA does apply.
We are experiencing the early days of CCPA compliance, this point is important—but also confusing. This means compliance functions will need to sharpen their assessment of third parties, to understand the exact business relationship and assure that it meets all the criteria for service providers. Again, the CCPA pushes the compliance function further into business operations, so the CCO can understand how to achieve CCPA compliance.
3. Building CCPA-Compliance Business Processes
Remember, the CCPA gives California residents certain rights to their personal data. The company must figure out how to let California residents fulfill those rights—and how to do so in a way that doesn’t create more problems than it solves.
For example, under the CCPA consumers have a right to see the data that a company has collected about them. So companies need to devise policies and procedures to fulfill that right: a way for consumers to submit the request, procedures to identify all the relevant data, and a way to present that list of data back to the consumer.
Well, security specialists have already identified bogus data access requests—where hackers pretend to be someone asking to see his data and dupe a company into sharing it—as a threat. So companies will need to be aware of that threat, and build identity-confirmation controls into their access request procedures.
Likewise, consumers can ask for companies to delete their personal data, but companies can’t delete data that might be part of a law enforcement investigation. So you’ll need procedures to confirm which data can or can’t be deleted.
What CCPA Means for Compliance Officers
Those are only three capabilities a company will need to develop to achieve CCPA compliance; we could discuss many more. Fundamentally, the CCPA will require the compliance function to get more involved in structuring business processes, since so many business processes now involve at least some processing of personal data—and achieving CCPA compliance is about handling personal data with proper care, at all times.
