The California Consumer Privacy Act (CCPA), which is modeled after the European Union’s General Data Protection Regulation (GDPR), will go into effect on January 1, 2020.
The law affects companies that meet at least one of these criteria:
- Bring in more than $25 million gross annual revenue
- Buy or share personal information pertaining to 50,000 or more consumers, households, or devices
- Generate at least 50% of annual revenue from selling the personal information of consumers, which includes postal, email and IP addresses, driver’s license numbers, social security numbers, online/browsing preferences, and behavioral data
Firms that are not compliant in time will risk fines that range from $2,500–$7,500 per incident, in addition to possible legal action from consumers after data breaches.
Why is Data Privacy Important?
According to the Capgemini Digital Transformation Institute’s “Seizing the GDPR Advantage” report, consumers are more inclined to transact with organizations that enforce data security. Approximately 39% of surveyed consumers said they would purchase more products with companies that protect data. More than seven of ten individuals indicated that they would stop conducting business with an organization lacking in privacy protection and would switch to another company. Additionally, approximately 75% said they would request that the organization erase their personal data.
Data privacy regulation empowers customers to control their personal information. Strengthening data security and protecting a customer’s privacy can only help companies grow their brand and increase customer trust and loyalty.
What are the steps firms must take immediately?
Capgemini recommends a phased approach to CCPA compliance. Companies that already have a privacy framework that was implemented for other regulations, such as the General Data Protection Regulation (GDPR), will find it easier to comply with the CCPA, which is very similar to the European legislation. But even for those firms that don’t have the GDPR framework in place, Capgemini has found that most have at least completed an initial Privacy Impact Assessment. With that in mind, here are the next immediate steps they must take:
- Create a compliance roadmap and remediation plan. This includes identifying a workable Minimum Viable Product (MVP) that will ensure basic compliance, establish workstreams and onboarding teams, and adjust cost and effort estimates.
- Implement compliance solutions that use a combination of automation and other technologies to address data security gaps and system vulnerabilities, provide for consent and individual rights management, deliver anonymized data for marketing and analytics, and safeguard structured and unstructured data. Companies must also update service-level agreements with third parties.
These steps will enable firms to respond to customer requests within a certain timeline, be able to track and manage requests and establish an audit trail for regulatory compliance.
Once the goals of MVP have been realized, FS firms should invest further to design an end-to-end automation framework that can replace manual processes currently supported by a managed service or operational team. This will add agility and greater responsiveness to the privacy framework as consumer awareness and data subject request demands increase.
Worldwide, there are several legislative efforts underway to protect the data of customers. Several countries including Japan, India, Brazil, and Canada already have implemented or are currently creating national data projection/privacy laws that follow the GDPR model.
In the US, 15 states are gearing up to pass legislation that is comparable to CCPA; Nevada has already passed a similar privacy act. Additionally, there is a chance that there will be federal privacy regulation, with both the Senate and Trump administration exploring possibilities. Adopting an agile, data privacy framework will be well worth the investment to more easily comply with future local and regional privacy legislation.
To learn more, please visit the Capgemini CCPA website.
 Connecticut, Hawaii, Illinois, Louisiana, Maryland, Massachusetts, Minnesota, New Jersey, New Mexico, New York, North Dakota, Pennsylvania, Rhode Island, Texas, and Washington