Want to know more? Click here to register for the adjoining webinar!
The California Consumer Privacy Act (CCPA 2020), which went into effect earlier this year, is certainly not the first legislation in this area. Over the past few decades, numerous legislations have been enacted to protect the privacy and personal data of consumers. Most notably these include the Health Insurance Portability and Accountability Act (HIPPA 1996), Gramm-Leach-Bliley Act (GLBA 1999), Health Information Technology for Economic and Clinical Health Act (HITECH 2009), Family Educational Rights and Privacy Act (FERPA 1974), and Protection of Pupil Rights Amendment (PPRA 1978). While these are sectorial laws focused on specific industries, CCPA is focused on all California consumer data and includes a carve-out for GLBA and HIPPA.
In this white paper is a technical roadmap of primary capabilities that must be implemented to meet CCPA. We see these capabilities as:
- Track and act on consumer requests.
- Understand what information is captured and what categories it falls under based on CCPA guidelines.
- Capture and document the process for complying with the law.
- Document the purpose and use of the information captured.
- Communicate the information to the consumer and provide the ability to request the removal of information.
- Capture consent of the consumer for the storage and use of their personal information.
Through a combination of partner tools and products provided by companies such as Informatica, cataloging data and its processes can be combined in a modular way to address each of these needs.
Addressing CCPA – Triggers, Response, & Challenges
Based on what is understood about the law, from a technical standpoint, identifying the information, processing requests, and identifying and cataloging the location and purpose behind the information’s capture is necessary to begin to comply with the law. Key triggers prompting regulatory inquiry include:
- Data breaches: CCPA is not particularly nuanced about sensitive data and the California Department of Justice focuses on breaches/complaints and harm done.
- Number of complaints: An increase in the number of complaints.
- New technologies: Technologies like facial recognition require effective risk assessment for compliance.
Since the law came into effect, the California Attorney General has provided additional information including a second set of modifications to the proposed regulation. Even as rule-making activities move forward, there has not been a spike in what consumers request. This is an evolving space with a significant amount of uncertainty as new versions of CCPA are rolled out, including details around ‘deletion’ and what it means.
Receiving, Handling, & Tracking Requests
The most obvious need is the ability for the organization to interact and communicate with the consumer based on the requests. We are quite certain any company that must comply with the law already has a means to process consumers’ requests. In processing said requests, statistics about the interactions and resolution, type, etc. can also be readily assembled and reported on. A dashboard to present the statistics, such as number and type of inquiry, the number of requests processed, and their current status would go a long way in satisfying a regulator’s assessment of the organization’s compliance with the law. The California Attorney General has built a data broker registry which supports the compliance check. Companies such as SayMine.com handle requests through a single process for data handling.
Successfully operationalizing the law involves verification of the individual for data identification, deletion, or enabling an opt-out request. Paradigm Technology has enabled this through data catalog development, such as Informatica’s Data Privacy Management, which helps organizations identify Personally Identifiable Information (PII), Personal Health Information (PHI), and other sensitive data with ease. Additionally, our governance accelerator workflows – including defining a business rule, proposing new governance assets, and unsubscribing capabilities – enable our clients to further identify and handle data. Smaller companies that are unable to build a comprehensive infrastructure internally are managing this through service provider arrangements. Companies that hire third-party brokers make managing requests an outsourced dialog between the consumers and the business with the service provider.
Whether handled in-house or through a third-party, some common challenges we’ve helped our clients overcome include:
- Locating data: It remains a difficult task for most organizations. Companies still struggle bringing the right data to the right person at the right time for activities such as analytics and marketing, let alone lawful compliance.
- Our experts helped a client identify, scan, and profile 200 data elements, 8.4 million variables, and 2.9 billion rows.
- Tracking and managing consent: Usually this is nothing more than a webpage popup notifying the user of a website that their information is being captured and requesting an opt-in. What it does not necessarily do is capture that consent across the data and many systems that capture it.
- We simplified and automated a search for related information, reducing search time by 31%.
- Service level agreements (SLA’s) and audit: Documentation and proof that the request has been processed and completed are required for internal and external management of such data.
- Our data scientists enabled our client to track data lineage, perform data profiling, search data, and view data quality scores for a target quality increase of 28%.
- CCPA hotline messages: Often they are unclear, and it can be difficult to identify the last name and email address which are essential with the obligation to follow up if the data isn’t provided.
- Data requests with specific look-back and restore needs: These are different for varying industries and require clear policies covering data collection, data quality, management, purpose of usage, usage limitation, data security safeguards, openness, and individual roles and accountability.
- By enabling semantic search, the ability to search with meaning, we helped our client see an estimated 13% profitability increase.