Such is the extent of the challenge faced by businesses, one survey finds that 86 percent of U.S. companies describe CCPA compliance as a “work-in-progress.” Adding to that, MediaPRO’s 2019 “Eye on Privacy Report” found that half of U.S. employees have never even heard of the regulation.
In terms of what businesses need to to do to meet the CCPA January 2020 implementation date, Digital Journal caught up with Tom Pendergast, MediaPRO’s Chief Learning Officer for strategic advice.
Digital Journal: What is the idea behind the CCPA?
Tom Pendergast: At a glance, the big idea of the CCPA sounds simple: give individuals control over the use and sale of their personal information. The bill acknowledges that times are changing, and that it’s basically impossible to “apply for a job, raise a child, drive a car, or make an appointment” without sharing personal information.
And because technology plays such a big role in daily life, consumers are practically being held hostage by businesses: the self-appointed custodians of their data. In many cases, these businesses don’t always have the best interests of consumers in mind; for example, the bill cites the Cambridge Analytica scandal of March 2018 as a primary factor in motivating the public’s desire for privacy controls and transparency. So the big idea is to put control in the hands of the consumer or data subject.
DJ: What are the main requirements of the CCPA?
Pendergast: There are countless ways that the CCPA will impact a businesses’ policies and procedures, depending on how well it has already incorporated policies and practices around the handling of personal data. So at a micro-level, the requirements of the CCPA are too many to count and too diverse to accommodate readers from across different industries. However, there are five very clearly stated rights that the CCPA grants to Californian consumers which will guide compliance requirements. In other words, the CCPA’s requirements are to do whatever an organization needs to in order to grant consumers these five rights.
Those rights are, in brief: 1) consumers can know what data is collected about them; 2) consumers can know if their information is being sold, and to whom it’s being sold; 3) consumers can say “no” to sale of their information; 4) consumers can access their data (and amend/delete it, if desired); 5) consumers get equal service and price, even if they exercise their rights. The implications for how a company builds the capacity to respect those rights is pretty huge.
DJ: To what extent is the CCPA based on European GDPR?
Pendergast: I think it’s safe to say that the CCPA is inspired by the GDPR but it might be going too far to say it’s “based” based on the GDPR. Consumer rights granted by the CCPA are similar to the GDPR’s rights for EU citizens, but they aren’t copy-pasted from the GDPR’s text.
The CCPA differs in handful of significant ways. One notable way is that the CCPA doesn’t focus the “legal basis” for collecting and processing personal data, which is essential to the GDPR. In effect, the CCPA gives affected businesses more authority over why they process data, so long as they do so with consumer rights in mind. But zoom out a level, and I’d say that both the CCPA and the GDPR are motivated by a desire to shift the power dynamic around the control of personal data from corporations back to the individual.
DJ: What are the key challenges businesses face?
Pendergast: It will all depend on the businesses existing maturity around data protection. If they’ve already done all the work to get prepared for the GDPR, for example, then there will be relatively minor improvements or additions to both policy and technology. But if the business is just getting started on solid data protection and handling practices, the lift could be very heavy in terms of changes to internal data handling practices, business policies, etc. A recent report on GDPR showed that smaller businesses have gone out of business rather than taking on the costs of compliance, and I suspect similar things will happen with CCPA.
DJ: What should businesses be doing?
Pendergast: One could write whole books answering this question. It comes down to assessing what it will take to meet the requirements in terms of impact on technology, process, and people, and then building a systematic plan to get into compliance. For many businesses without the expertise to do that assessment, the first thing will be to hire an experienced privacy professional to help them make a game plan.
One element that businesses don’t consider frequently enough is the need to develop an educated population. Starting a privacy awareness program that informs employees about what constitutes personal information, how it should be handled and protected, and what they should do if they suspect there is a privacy incident is an important but often overlooked component of meeting regulatory guidelines.
DJ: Will the CCPA fully address consumer concerns over privacy?
Pendergast: The answer to this question is immensely complex because it ventures into the area of the human psyche, which is about as weirdly complicated a place as we could possibly investigate. First it’s important to consider whether consumers really want their privacy protected. This varies by individual and by what scandal is in the news cycle; regardless, people’s actions don’t seem to follow the assumption that people want privacy (the famous “privacy paradox.”)
For example, in the wake of Facebook’s various scandals and the “delete Facebook” campaign … Facebook’s user base is essentially unchanged (well, Facebook monthly deletes more fake accounts than there are consumers in most countries, but that’s another issue). Basically, people want the benefits that our modern technology provides while still wanting to remain “private.”
Wouldn’t it be nice to eat pizza and friend chicken and tacos and ice cream for every meal and stay at your ideal weight? Get out of here. Consumer concerns about privacy won’t be fixed by CCPA, in fact, most consumers probably won’t even notice it or take advantage of their rights. However, whether or not consumers realize it: they need those rights to protect them from abuse and collateral damage to our society, often without our knowledge.
The CCPA is 100% better than what we have now: nothing. The bill is an essential first step towards amending the Wild-West landscape of big data that exploits our personal info all the time and, as we’ve seen, complicates our domestic and international politics. It’s a problem that needs to be solved, and maybe CCPA will get the ball rolling.
DJ: Will there be a US wide roll out of CCPA type legislation?
Pendergast: It’s possible, but most people place the odds of federal privacy legislation getting enacted pretty low in the short term. In February, Congressional House and Senate hearings discussed the subject from various angles. Lawmakers are eager to avoid a “grab bag” of state laws percolating across the country, and such legislation is a mostly-sort-of-probably-bi-partisan issue. However, predicting whether legislation will make it to the president’s desk before the 2020 elections has about as much success as predicting the outcome of the election itself. My opinion is that we’ll be dealing with the multiplication of state laws mimicking the CCPA until after the next presidential election.
