Consumers are demanding greater privacy and data security protection. You’ve seen the General Data Protection Regulation (GDPR) regime come in Europe. Now, this trend is coming to one of North America’s largest jurisdictions: California.
The California Consumer Privacy Act (CCPA) took effect this year. Getting ready for CCPA compliance is an important way to reduce risk and show your customers that you take their security concerns seriously.
The Missing Link In Your CCPA Compliance Strategy
Many companies start by seeking legal advice for CCPA compliance. That’s an excellent first move to make. However, it is not enough to achieve companywide compliance. To reach that result, you need to revise your identity management practices and systems.
In this short guide, you will discover the fundamentals of CCPA, how to assess it and the role identity management plays in compliance.
CCPA 101: The Five Key Facts You Need To Know
Before you dive into building a compliance program, let’s understand the nature of the challenge. Here are a few facts you need to know:
• Effective Date: The CCPA became effective on January 1, 2020. However, enforcement actions may not start immediately.
• Jurisdiction: This law applies to California. If you have customers in the state, take CCPA seriously.
• Fines and Lawsuits: Failing to follow CCPA requirements carries a high cost. The law has made it easier for individual consumers to sue companies. In addition, fines range up to $7,500, which may be applied to companies that break the law.
• What CCPA Applies To: CCPA does not apply to all companies. In order for CCPA compliance to be relevant, your company has to meet a few criteria, such as having $25 million or more in annual revenue, possessing personal information on 50,000 or more people, or earning more than half of your revenue from selling consumer personal information. Indeed, the law will have direct impacts on companies like Facebook and Google, but it will apply to many other firms as well.
• Enforcement Actions: Because it is a new law, it is unclear how often or severe enforcement actions will be. Popular support for security and data protection suggests that we should plan for a robust approach to enforcement.
Building A CCPA Compliance In Four Weeks
Assuming your organization has some level of IT security and data privacy program in place, reaching CCPA compliance should not be overwhelming. To simplify the process, follow this week-by-week program:
Week 1: Current State Evaluation
If your company went through a GDPR compliance program recently, some of those processes will help you in achieving CCPA compliance. Before you make any changes to your company’s processes and technology, you need to understand your current situation. Sit down with your technology and business leaders to explore the following questions.
• How many customer profiles do we have in total? How many are in California?
• What percentage of our revenue comes from selling customer personal information?
• What resources and capabilities does the company have from a privacy protection perspective?
• What resources and capabilities does the company have from an IT security perspective?
• What lawsuits, audits or other challenges has the company experienced with data protection and security in the past two years?
Based on this information, you will be able to determine your gaps and the way forward.
Week 2: Identify Gaps And Risk Exposures
In this part of the process, you will identify gaps and risk concerns related to CCPA compliance. I recommend organizing a group of stakeholders to examine CCPA compliance from a legal, technological and business perspective. The business point of view is essential because you might have a strategic focus on California consumers or a desire to grow your California customer base. In that case, achieving robust CCPA compliance will be critically important.
Some companies may have limited resources for CCPA compliance. In that case, I recommend focusing on high-risk areas first, such as protecting systems with customers’ personal information. Depending on your risk exposure, you may choose to defer other activities like building out a CCPA-compliant process until a later time.
Week 3: Develop Or Revise Business Processes
Next up, update your business process to consider CCPA compliance. For example, you may start asking marketing and sales to take additional effort to confirm the accuracy of location data. In particular, marketing data can be more challenging to protect since it may not always be possible to verify whether a prospect is a California prospect.
To lower the chance of data loss, review your IT security procedures as well. One easy win is to regularly review and remove inactive user accounts. For example, your marketing team has 10 users with customer sensitive data, and five of them have not logged into the system in the past 90 days. In that case, remove unneeded user access to cut down your CCPA compliance risk. Before making this kind of change, discuss it with the users and managers first.
Week 4: Leverage Specialized Systems
CCPA compliance means that you will protect all relevant records and data. However, it is usually not practical to manually review and secure every database and system. Thankfully, that level of review is not necessary. Instead, you can use identity and access management software to control access. In addition to reducing inactive users, there are other ways to use this software to reduce CCPA compliance risk.
By using identity and access management software, your IT security policies will be more consistently applied. For example, you may apply mandatory multifactor authentication (e.g. log in with a password and a unique code sent to a phone) before granting access to customer databases. By enforcing such a requirement systematically, you will have a lower chance of a data breach.
These four weeks will get you started. If you encounter CCPA compliance lawsuits, you will need to seek a qualified legal professional for help. However, taking the CCPA seriously right now by improving your security controls will make lawsuits, investigations and other problems much less likely.