- CCPA Compliance Only Extends to Updated Privacy Policies
For many businesses, their approach to CCPA thus far has been to update their privacy policies to reflect CCPA language without changing business operations to actually implement CCPA compliance. While updating privacy policies is part of the requirements under CCPA, this barely scratches the surface of compliance. Implementing compliance requires comprehensive data management and the ability to generate rapid reports on how consumer information has been used over a period of time. Reporting has to respond to a variety of possible consumer requests, such as which vendors have received consumer data, what day an opt-out request was processed for a specific customer, and even what cookies have been collected on consumers (cookies just recently emerged as a flashpoint in CCPA enforcement, with California AG Rob Bonta claiming that cookies constitute personal information under CCPA). Imagine processing these consumer requests all day every day, and then multiply that by the number of customers a business has. That should give a sense of how much work businesses will ultimately have to put into CCPA compliance. Updating privacy policies and leaving the rest to chance will likely wind up costing businesses thousands or millions of dollars in CCPA violations.
2. Failure to Manage Consumer Requests in Accordance with CCPA Regulations
Managing consumer requests is likely to become the most cumbersome part of CCPA compliance. The CCPA grants consumers a bill of rights to assert control over their own data, including the ability to request information on what data has been collected and how it has been used; the right to opt-out of data sharing activities between a business and third parties; the right to request deletion of data; and others. Consider a business that has 10,000 customers. If each month, 10% of those customers make a consumer request, the business will have to monthly process 1,000 requests and generate 1,000 handling responses, which generally will be in the form of data reports. Now consider that the company has 1,000,000 customers. If 1,000 data reports sounds like a lot, what happens when the number of monthly requests jumps to 10,000 or 100,000? The point is that consumers have the right to make consumer requests under CCPA, and businesses are obligated to respond to the requests. Failure to respond can result in action brought by the California AG’s office, and also, consumers can bring an action against the business under the Private Right of Action. Thus, businesses face two different types of potential fines if they cannot manage consumer requests within the 45 day time window. Managing consumer requests requires a scalable solution that can automate as much as possible the CCPA consumer request processes. Very few businesses have deployed such comprehensive data management tools that can handle large amounts of CCPA consumer requests. As enforcement ramps up, this challenge of scaling to service consumer requests could become a big and expensive problem.
3. Failure to Track Data Inventory in a Way that Satisfies CCPA Compliance
One way to look at data privacy compliance is through the lens of data management. The way businesses currently manage data leaves some very large gaps in terms of CCPA compliance. CCPA from this perspective is a very strict set of rules for how businesses must manage and track their customer data – every piece of data collected on their consumers as it moves through every part of a business’s data ecosystem. If businesses can’t track usage of customer data to begin with, how can they comply with CCPA consumer requests? The key takeaway here is that businesses will need to fundamentally change the way they collect, process, tag, track, and manage each datum of customer information in their data ecosystem. That includes not only information provided by consumers to the business, but also information that is derived about their customers through analytical tools. It’s the comprehensiveness of data inventory management that will pose the greatest challenge to businesses. Businesses seeking to implement robust data management strategies for CCPA compliance will need to adopt solutions like Privacy Lock , or other data management and automation services.
4. Businesses Assume They Don’t Have to Comply with CCPA Because They Are Not California Based Businesses
One common area of confusion about CCPA is whether a business is actually required to comply if they are not a California based company. CCPA requires that any business selling goods or services or collecting data on California residents is ‘covered’ under CCPA. In other words, it doesn’t matter where the business is registered or located, what matters is where the consumer resides. Especially for online businesses and e-commerce sites that do business across state lines, if they interact with California consumers those interactions are most probably covered under CCPA. The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
5. Thinking That Only Data Provided by Consumers is Covered Under CCPA
Many businesses think that CCPA only applies to the data fields that consumers fill out in online forms – Name, Address, Phone Number, etc. In fact, the definition of personal information under CCPA is pretty expansive. Personal information as defined on the California AG’s websiteis information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics. The thing to pay attention to here is that browsing history, including cookies, and customer profiling are considered personal information. Analytics or computations performed on consumer information using business intelligence software that produces derivative datasets about consumers is also considered personal information. The expansive definition of consumer information may cause some headaches to businesses that use business intelligence as a way to recommend and push products to their customers. The CCPA does not require that businesses stop such practices, but that they treat any consumer information involved in such analyses as personal information. Once again, this requires robust data management tools to track inputs and outputs as they relate to individual consumers, and to be able to respond to consumer CCPA requests.