The California Consumer Privacy Act (CCPA)—which begins enforcement on January 1, 2020—now stands ready to reform how data is handled. The goal: to improve protections for personal data and to grant consumers new, expanded rights over appropriate use of their data. The regulation will impact California businesses and others doing business with California citizens, while also serving as a model for other states planning parallel legislation.
But all is not yet settled with the CCPA. Over the next few months, we’ll see continued scrutiny and debate over amendments that determine the definition of what confidential data is in scope, which exceptions are warranted, how do consumers enforce controls with communication requirements, and so on. All well and good for clarity and to preserve the intent of the law: to better safeguard consumers by protecting personal data and their sensitive information across devices.
Unfortunately, this ongoing work means that many organizations are procrastinating on their preparations for CCPA compliance. Just as we saw with the General Data Protection Regulation (GDPR) in Europe, there’s a tendency to wait for the dust to settle and then figure it out—eventually—based on more certainty and best practice examples.
The GDPR is indeed a good example, though, where the first few months demonstrated moderate legislative enforcement; a grace period of ramp up for auditing compliance and keeping fines in the realm of a “warning shot” of greater penalties to come. Sure enough, one year later after enforcement began, we are indeed seeing massive fines levied, and a weak defense of ignorance has become increasingly thin.
While the CCPA may—or may not—offer a similar grace period when it takes effect, the threat of fines shouldn’t be your biggest worry on New Year’s Day 2020. There’s another, hidden cost that few people are considering when preparing their governance and data privacy plans.
Certainly, CCPA fines and penalties are a big motivator to implement controls to limit your risk of exposing personal data; fines can range from $2,500 to $7,500 per violation, depending on the intent. But there is a more obvious and sinister problem staring businesses right in the face: the costs associated with the new transfer of controls that the CCPA extends to your customers. Yes, the end users of your products and services will have new rights and this will cost you, immediately. More specifically, you’ll be spending time, skilled resources, and hard costs in order to respond to consumers who wish to exercise their rights—at scale. This includes costs of responding to data subject access requests (DSARs), along with user requests to ensure data use transparency, the revocation of rights to use, third-party sales, and everything in between.
User rights management isn’t getting as much attention as it should, and this could be attributed to how most organizations are framing CCPA, GDPR, and other regulations as primarily a security problem, rather than a data privacy governance problem. Recent industry estimates (based on surveying the impact of the GDPR so far) show that the cost to an organization handling consumer privacy rights requests could run in the range of $1,400 per incident and take up to a few weeks to resolve. Let that sink in.
Now consider how quickly those per-incident costs might multiply. A CCPA fine may run $2,500; just two inquiries from customers exercising their right to be forgotten could cost you more than $2,800. How many inquiries will you get each day? Every month? Risk assessment tools can help you determine an answer, but it’s clear that the hard costs of doing business under the CCPA will quickly overshadow any theoretical fines.
Security and privacy governance are not the same. At the end of the day, this may simply be a matter of semantics; however, the case made above is that securing the data may reduce the risk for data breaches and subsequent fines or penalties; whereas data privacy governance can help to create a holistic approach that supports data privacy workflow, reduces operational costs, and impacts the bottom line when implementing practical day-to-day controls.
In the days and months leading up to the CCPA, we can take a good lesson from the GDPR. While vendors jump on the bandwagon of magic cure-all solutions to lock down data or to help you determine a policy-based approach to compliance, you’ll want to seek out vendors that can demonstrate a track record of data governance best practices. The same best practices used to understand data sources, track lineage, map data and identity and identity governance together, can also be a part of your comprehensive data privacy governance strategy, solving both a risk and an ongoing cost of doing business problem.
Truth be told, data privacy compliance is something we all have to do. GDPR made us do it, the CCPA is making us do it, and you can expect countless more privacy mandates as data proliferates and more abuses come to light. Consumers are demanding it. And ultimately, it’s the right thing to do. But there is the proverbial silver lining upside to consider.
Data privacy governance enables greater insights into the data you have, an opportunity to improve its quality and reliability, and the ability to use it in more safe and productive ways to unleash business optimization and value creation. For example, by offering new products and services that your customers can trust, you may want to consider this recent statistic about consumers who trusted their vendors: they were likely to offer up to 5x more sensitive data for use. From a data analytics and value creation standpoint, that means more complete data to fuel better insights for developing targeted offerings and improving customer loyalty in an age where brand loyalty has far less stickiness than ever before.
While privacy compliance is something you have to do, privacy governance will be something you should want to do—and both achieve the same endgame. Win-win! Customers are more aware of trust assurance nowadays; they’re not content to simply just take a best price if they’re worried that their data will be misused. With the CCPA and similar mandates around the corner, it’s in your best interests to prepare more sooner than later to govern the personal data your customers hold you responsible for protecting. And the sooner you do so, the more quickly you can use that trusted data to open up new business opportunities with trusted data that helps you leapfrog your competition and protect your customer loyalty, enabling customer relationships to thrive.
Discover how you can locate, classify, analyze, monitor, and remediate risk for personal and sensitive data with Secure@Source.
Register today for our upcoming launch event, where you can learn more about how to operationalize data privacy and provide greater compliance transparency with AI-powered automation.
Download a complimentary copy of Data Privacy For Dummies.
Or register for our timely webinar, 20 Questions on the CCPA with Joe Bracken, Deputy General Counsel.