Automating CCPA compliance: Organize your data and manage requests

Time is running out for California-based businesses to prepare for the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020.

Despite the Act being big news in the information security industry since its passing, many outside of it have never heard of it, and some don’t even know if it applies to their business.

The CCPA applies to California-based companies that have an annual revenue above $25 million; possess the personal information of 50,000 or more consumers, households, or devices; or earn more than half of their annual revenue from selling consumers’ personal information.

Manual or automated?

With the CCPA, California residents gain the right to:

• Know what personal data is being collected about them and to whom that data is sold or disclosed to
• Prohibit the sale of this data
• Request its deletion
• Access it.

This means that the companies to whom the law applies to must put in place mechanisms that will allow this.

“The quick and dirty way to comply with CCPA is to provide an email address or a form on the website that consumers must complete, and then for each request, respond manually,” Buno Pati, the CEO of Infoworks, told Help Net Security.

“This will work if your organization or your data set is not that large or you don’t have a lot of end users. It might also work for a business-to-business organization. But for any reasonably sized organization with lots of end consumers, if the CCPA requests start to grow, their ability to respond will quickly falter if it depends on a manual process.”

For those, the only right way to go is automating as much of the processes as possible.

How to go about ensuring CCPA compliance?

While the actual process is very detailed, the basic concept starts with creating a common repository (aka “data lake”) of all customer data, including information about who is using it within the company, for which purposes, and what rights have been granted.

“The repository is just the starting point for handling requests and must maintain lineage documenting the original data sources so they can be tracked down later if data needs to be removed,” Pati noted.

Next: organizations need to create a portal that allows end users to make requests for how they want their data managed, including the ability to see what data the organization has, and the ability to make appropriate requests to remove all of it, some of it, restrict their rights to sell it, etc.

Finally: once a consumer has made a request, the organization must have processes (both automated and manual) in place to either remove or anonymize the data.

Many companies underestimate how hard it is going to be just to organize their data in a manner where they can even implement processes to help them comply with CCPA.

“They focus more on the customer interaction part, but it is the underlying data plumbing that will be 80% of the work,” he says. “This is why implementing an enterprise data operations and orchestration system is so important. You need a level of automation and data management agility that will provide a solid foundation on which the rest of their CCPA implementation will be built.”

Centralization of the data and the processing is also encouraged, as it makes it easer to properly manage requests.

The CCPA effect

More and more consumers worry about their privacy and would like gain control of the data companies and other organizations keep about them (and use).

Slowly but surely, countries all over the world are trying to meet that need and are creating and enacting legislation that will allow this. The EU General Data Protection Regulation (GDPR) got most of the coverage so far but, with the CCPA and other similar bills enacted or in the pipeline, companies are looking to do a thorough job.

“Businesses are prioritizing CCPA compliance for all their data and are taking a more holistic approach as new privacy regulations with varying requirements will soon be introduced. Implementing CCPA for all of their data gives them a head start on preparing for federal legislation as well as for the European GDPR standard which has similar requirements,” Pati pointed out.

“California will be the first state where more rigorous privacy requirements are in place but businesses around the world should also consider how they can be transparent in data collection as 15 other states have introduced privacy legislation and similar proposals are being considered at the federal level.”

Consumers should not delude themselves by thinking increasing privacy legislation will spur companies to stop collecting data or start purging user data the already have, as it’s simply of too much value.

Organizations will continue to aggressively collect data and request the right to use it and sell it, Pati believes, and they are counting on the fact that most consumers will not take advantage of a CCPA portal to have their data removed or anonymized.