With the California Consumer Privacy Act’s (CCPA) effective date quickly approaching, companies nationwide—not just those headquartered in the Golden State—have a lot of work ahead of them or they face potentially major disruptions to their businesses.
First, a couple key factors that treasury and finance professionals need to understand about the CCPA. For one, U.S. companies with employees or sales in Europe that have already complied with the European Union’s General Data Protection Regulation (GDPR)—effective since May 25, 2018—may believe it’s more expansive framework means that they are compliance with CCPA. To a large degree it does, but companies must nevertheless understand and accommodate the differences.
And two, U.S. companies outside the state, even many smaller ones, must comply with the California law if they collect data on customers who live in the country’s most populous state and one of the world’s largest economies—a strong likelihood in today’s digital age.
Complicating matters further, the CCPA’s effective date is Jan. 1, 2020, but there are still upwards of a dozen amendments that have yet to be finalized and may significantly change the law’s requirements. For example, it is still unclear whether a company’s employees will be included in the definition of a consumer, and what that means in terms of data requirements. In another instance, the CCPA says companies cannot receive monetary or “valuable consideration” from third parties using their data, but it does not define the latter.
Even if those amendments are resolved by October—a guestimate by sources familiar with the issue—there’s little time for companies to adapt their systems, although the state’s attorney general has agreed to delay enforcement for six months.
The findings of a March survey by Compliance Week and TrustArc, a privacy compliance and security company, were grim. It found that 45.6 percent of surveyed compliance professionals said their companies were working on preliminary plans, while 26 percent said they hadn’t started at all, and 13 percent said they had plans but implementation had yet to start. Only 15 percent said their plans were “well underway.”
LATE TO THE GAME?
Many companies have no doubt made significant progress since March. However, for those that have yet to deal with GDPR or industry-sector privacy requirements, such as the healthcare industry’s Health Insurance Portability and Accountability Act (HIPAA) or the financial industries Graham-Leach-Bliley Act, the task is daunting. Rich Vestuto, managing director in Deloitte Risk and Financial Advisory, noted that customer data can reside hidden away and vulnerable on a server somewhere within a company’ four walls, and it may have been sent to any number of third parties.
“Is the company using an outside benefits company or human-resources provider, or an email marketing or affinity program,” Vestuto said. “It really takes a team to go in and put together an attack plan, to interview people, talk to IT and the different businesses, and try to build a map of where everything is and where there may be sensitive data.”
Vestuto said that means interviewing anybody who might have some kind of “input, some premier knowledge,” about what is happening to the company’s data. In an airline, for example, it would be important to talk to the division handling its affinity program about the type of data they have and whether there currently are restrictions for handling it. Reviewing any contracts with third parties is also key, making sure there is a clause ensuring those parties protect the data.
Vestuto added that companies that have yet to start that process are “already late to the game,” and if they haven’t implemented a similar program for other regulations, “Then they’re way behind.”
Those companies had best catch up, even if the steep fines for CCPA infractions are delayed, because noncompliance could severely impact their businesses. “The most important driver for most companies,” said Dave Deasy, SVP of marketing at TrustArc, “is that their customers and vendor partners won’t do business with them if they can’t document their compliance.”
Deasy added that 68 percent of respondents called vendor and other third-party expectations their biggest reasons for complying with CCPA, and a similar percentage pointed to fines and class-action lawsuits.
Vestuto noted that a string of other states appear to be following closely behind with similar but nevertheless different requirements. Nevada’s privacy rules go into effect in October, and Maine, Washington and New York are also mulling new requirements.
TIME TO PREPARE
It appears unlikely that the CCPA effective date will be delayed, given the rash of data breaches at name-brand companies, including Equifax, Marriott International, Uber and Yahoo. Capital One recently announced a hacker gaining access to 100 million customer accounts and credit-card applications.
In addition to keeping customer data secure, companies will have to be able to respond to consumer rights requests. Vestuto said that CCPA is somewhat narrower in terms of requirements and at first blush appears to omit GDPR’s requirement to keep an inventory of data. However, if a customer requests to see all the data a company has about him or her or delete that data—both consumer rights under CCPA—the company will have to have ready access to that data.
Similarly, GDPR’s privacy-by-design provision requires companies building new systems and processes and making changes to them to consider privacy requirements throughout that lifecycle, and CCPA does not.
“On the other hand, if I don’t do something related to the changing processes, my data inventory and data-privacy program get stale very rapidly,” Vestuto said. “So we recommend to clients that, even though there’s no explicit regulatory requirement, it’s prudent from an operational standpoint to do that.”
Deasy said CCPA is impacting all industries, but in particular sectors such financial services, telecom and utilities, since they tend to be U.S.-centric and don’t have the GDPR headstart.
Companies collecting large volumes of personal information and sharing it with third parties are particularly at risk, Vestuto noted. He added that technology companies, especially those in social networking, are the “prototypical” example of organizations that will be impacted by CCPA and must be prepared to follow through on subject rights requests.
“However, they’re more mature in terms of data privacy than many other companies,” he said. “Companies such as consumer products may not be nearly as sophisticated.”