CCPA took effect on Jan. 1, 2020, following the May 25, 2018, launch of the landmark global compliance regulation GDPR. When California begins enforcing CCPA on July 1, 2020, any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data will be governed by CCPA if it:
- Has annual gross revenues in excess of $25 million; or
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half its annual revenue from selling consumers’ personal information.
Data privacy regulations have focused on holding organizations accountable for breaches of their systems and the personally identifiable information (PII) they hold. In fact, a foundational premise of CCPA is that consumers “own” their privacy information. However, while CCPA acknowledges the primacy of consumers’ rights regarding the information that organizations hold, much less attention has been paid to how consumers can take action on their own.
A tenet of CCPA is that consumers should feel free to exercise their rights to safeguard their personal data—and hence the incorporation of what CCPA refers to as subject rights requests, or SRRs. (A data subject, or simply “subject,” is defined as an identifiable individual about whom personal data is held.) What’s more, consumers should demand that organizations remain transparent about the usage of their personal data so they understand what information the organization holds, how it is being used, and who it is being shared with.
That said, complying with SRRs requires that organizations establish a privacy management program well in advance of receiving requests. The goal is to “hit the ground running” and avoid becoming deluged by the flood of incoming requests—especially in the early days of CCPA. And then comes the hard work: drawing up a data inventory of all the organization’s IT environments, establishing what information is classified as personal data under the CCPA, and mapping the flow of data through your applications that use it.
SRRs: A ‘Foundational Requirement’ of CCPA
That is why SRRs have become central to consumers’ data privacy rights under CCPA. They cover a defined set of rights where individuals have the power to make requests regarding their data, and where organizations handling this data must address these requests in a defined time frame—which, for CCPA, is 45 days. Gartner cautions that SRRs will play an overarching role in enforcement of CCPA.
What’s more, CCPA differs from GDPR in its definition of an “entity” (the data subject). “The GDPR is specifically focused on all data related to the EU consumer/citizen whereas the CCPA considers both the consumer and household as identifiable entities.”
Given the primacy of consumer data, organizations that are subject to CCPA need to turn their focus to protecting the consumer data they hold, which should be their highest ideal. Still, Gartner cautions that subject rights requests left unmanaged have the potential of becoming “death by a thousand cuts.”
SRRs come in three categories:
- Right to know: These rights focus on providing individuals with access to their data. This class of requests includes the most commonly sought SRRs, typically known as subject access requests (SARs) or data SARs (DSARs), where individuals seek to view what data the organization holds on them.
- Right to correct: These rights focus on allowing individuals to manipulate their data or their preferences. At the extreme, corrective rights allows individuals to delete their records.
- Right to object: These rights focus on allowing individuals to control how their data is processed. Under CCPA, individuals have the capacity to object to the sale of their data to a third party.
Flow mapping can be a massively complex and tedious undertaking, of course. But it can become painful in highly distributed infrastructures, according to Gartner. “The question is, why is ensuring GDPR [or CCPA] compliance so difficult? The answer lies in the complexity of a given organization’s technology infrastructure, which is laden with dozens if not hundreds of systems. Any one of those systems, which seldom talk to each other, can hold various customer records.”
Organizations that bring a high level of transparency to SSRs inevitably increase customer intimacy while strengthening their brand image. And, in doing so, they meet the highest of ideals: protecting consumer rights.
Keep in mind that businesses must meet every SRR within 45 days. Here is a six-step process that sets the stage for success:
- Establish a privacy risk register, where the organization can log and validate repositories of personal data, calculate the risk of each entry, and use it to prioritize remediation tasks.
- Divide the discovery exercise into two parts: one dealing with information currently held, and the other focused on new information that the organization is generating or appropriating.
- Ensure that new information introduced into the system has the metadata that would allow it to be tracked and managed properly.
- Capture, catalog, and prioritize large repositories of personal data—such as HR data, CRM records, and customer care logs—as they represent risk to a large number of individuals.
- Enable your employees and partners to introduce new personal data repositories they discover into the existing privacy risk register. Doing so creates an iterative, crowdsourced process that maximizes the amount of personal data you can manage for any individual.
- Define consumer rights workflows and steps in detail. Automate consumer rights management with a data privacy compliance automation platform.
And remember that enforcing compliance can be a notoriously complex challenge. “A CCPA-covered business is required to respond to at least two requests from any individual consumer in a 12-month period, provide a toll-free number for consumer information requests, and prominently link to an opt-out page from the company’s homepage or any other page where personal information is collected,” according to the law firm Gunderson Dettmer.
Perhaps the most crucial aim of every organization subject to data privacy regulations is to prepare for the likelihood of an audit. But isn’t complying with the “letter of the law or the regulation” sufficient preparation? Unfortunately, no. Enforcing compliance is not the same as documenting compliance. To cope with the documentation efforts, companies can automate the stewardship of personal data in software and eliminate weeks or months of tedious, error-prone manual processes, while producing proof of compliance for auditors.
Automation isn’t always the best solution to complex problems. But, in the case of CCPA, it may be the only solution that allows organizations to cope with the immense scope of data privacy regulations, which, above all, exist to protect consumer rights.