The California Consumer Privacy Act
How should leading companies prepare?

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. That leaves very little time for companies to adapt to these changes, and many organizations, executives, and product technology leads will have to begin planning. Individual company policy requirements for this change should be defined by a company’s legal or compliance team. The process of implementing the technical changes will vary in complexity, especially for companies that offer B2B web experiences that cascade down into many permutations. This post focuses on the technology activities and choices one can expect when embarking on this path.

In this post, you can expect 1) a brief background on CCPA’s predecessor, the General Data Protection Regulation (GDPR), 2) a high-level breakdown of the regulations included in the CCPA, and 3) a potential journey to address the implied requirements, especially from a digital product and technology perspective. From a software planning and implementation perspective, we at Digital Foundry believe there are key steps that can be taken now to prepare for CCPA.

What is the CCPA and where did it come from?

In a nutshell the CCPA is a digital privacy law that will provide more transparency and control to consumers regarding their personal information. The CCPA applies to California consumers, including those who are temporarily out of state, which means it is effectively the new national standard.

In 2016, the European Union passed the General Data Protection Regulation, known as GDPR, to help consumers understand and exert more control over their personal information as they interact with technology companies. This meant that any company doing business in the EU had to meet a new set of compliance rules when the GDPR went into effect on June 28, 2018. In the months leading up to this, companies had to rework their policies, procedures, and technology offerings to meet the new regulations (or be liable for fines if they did not).

A similar story is now unfolding in California. While many American companies had to comply with GDPR due to the global reach of their products, a good portion did not have to adapt as quickly. Now’s the time. The California Consumer Privacy Act was signed into law in June 2018, and grants consumers four basic rights:

  • The right to know what personal information a business or organization has collected about them, where it was sourced from, how it is being used, whether it is being shared or sold, and to whom it is being shared or sold
  • The right to “opt out” of allowing a business to sell their information to external parties
  • The right to deletion of their personal information
  • The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act

What kind of regulations are we talking about?

Regulation How does this impact your technology or organization?
1. Let customers know what they’re collecting, and why.

All 4 of these things involve either content display (disclosures) or some sort of user interaction. You may have already noticed a lot more popups when you navigate to websites lately, letting you know what is going on and essentially forcing you to acknowledge that your information is being collected.

These experiences are lightweight, but they still need to be built and work across all permutations of your website landing pages.

2. Allow customers to opt out of the sale of their personal information.

3. Obtain opt-in consent from children (age 13-16) or their legal guardian (for children under 13 years old) to sell their information.
4. Offer a support line or online form for customers to access, request deletion, or opt out of the sale of their information.
5. Disclose what pieces of personal information has been collected if the customer requests. There are some significant operational implications on policy and procedures. This data needs to be accessible in the first place, which is easier said than done when dealing with a legacy platform architecture.
6. Enforce contract terms with service providers. 3rd party integrations may be crucial to a company’s business model. Assessing these agreements is key in ensuring that CCPA is met throughout the entire service offering.
7. Provide customers who exercise their privacy rights the same product, service quality, and prices as consumers who don’t.

Sometimes digital experiences rely on the collection of customer data, but moving forward companies can’t allow personal information to determine customer experience. For instance, you can’t display different prices for customers if they have not provided their information.

For companies with many digital touchpoints, taking inventory of the points at which data unlocks the next step will be necessary to ensure that a user can proceed without giving up their data. We’ll get into steps to carry this out in the next section.

Preparing your digital services and products for the shift

The journey to understanding how your business units will make this transition is not completely straightforward, but here are some key actions we suggest you consider taking sooner rather than later.

Perform a Current State Assessment

Map out how your digital products handle user data, from collection to sale or disclosure. Inventory the categories of user information collected, where you get it, why you collect it, and what types of organizations or 3rd parties you may share it with. Consider creating system diagrams to visualize your current state.

Sound easy? When you have legacy technology and systems, figuring out where all of this data lives is difficult, let alone how to delete it without breaking something else. Remember, you have to delete it upon a customer’s request, but this can be challenging if there are tons of platform dependencies involved.

The current state assessment activity can take time, and often is best done by a dedicated team of product and technical experts, or neutral external group. It will set the stage, and help you determine where to make changes.

Define new procedures for digital touchpoints if necessary

Create a high-level backlog of procedural or architectural redesign tasks to address gaps between CCPA requirements and your digital product technology stack. Leave extra time to run through the development lifecycle – ideation, testing, and iteration – to ensure you’re checking the CCPA boxes and still accomplishing the business purpose of each feature.

Implement data security

Ensure that your engineering organization, operations, IT, legal, and marketing teams all understand what they need to do to meet the CCPA standards. Run workshops to strategize and coordinate efforts to reduce inefficiencies.

Button up data records now

Customers will be able to request access to their data immediately when the law goes into effect, so it’s important that companies prioritize capturing key processing activities so they can meet these requests.

What else?

Luckily, the CCPA appears to be a more limited law than the GDPR because it is primarily concerned with consumer rights rather than extending to cross-border data transfers. But it is still a big change, and there’s work to be done!

If you need help planning and implementing your CCPA policy requirements after working with your legal or compliance department, please feel free to reach out to Digital Foundry. We can help take a holistic look at your systems, identify risk areas, and provide you with a range of pragmatic solutions.

Like or share this post: