Although the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, the rules implementing and enforcing the law will not take effect until July 1. At that point, any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data will be governed by CCPA if it:
While data privacy regulations have focused on holding organizations accountable for breaches of their systems and the Personally Identifiable Information (PII) they hold, what has arguably received much less attention is the rights of consumers to enforce the privacy of their personal data under CCPA (and, of course, GDPR). Make no mistake: CCPA puts consumers in the driver’s seat.
A tenet of CCPA is that consumers should feel free to exercise their rights to safeguard their personal data. What’s more, consumers should demand that organizations remain transparent about the usage of their personal data: what information the organization holds, how it is being used, and who it is being shared with.
SRRs, or Subject Rights Requests, cover a defined set of rights where individuals have the power to make requests regarding their data, and where organizations handling this data must address these requests in a defined time frame – which, for CCPA, is 45 days.
Given the primacy of consumer data, organizations that collect personal information and are subject to CCPA, need to turn their focus to their obligation to protect the consumer data they hold, rather than fixate on avoiding fines or litigation. Still, Gartner cautions that “subject rights requests left unmanaged have the potential of becoming “death by a thousand cuts,” and costing organizations millions of dollars.”
SRRs come in three categories:
Complying with SRRs requires that organizations establish a privacy management program well in advance of receiving SRRs. The goal is to “hit the ground running” and avoid becoming deluged by the flood on incoming SRRs – especially in the early days of CCPA.
And there’s another side to the importance of SRRs: a company can bring a high level of transparency to SSRs as a means of increasing customer intimacy and strengthening its brand image.
Remember that a structured approach to managing personal data and SRRs is critical, and keep in mind that every SRR must be met within 45 days. Here is a six-step process that sets the stage for success:
Even with a process in place, enforcing compliance remains a notoriously complex challenge. “A CCPA-covered business is required to respond to at least two requests from any individual consumer in a 12-month period, provide a toll-free number for consumer information requests, and prominently link to an opt-out page from the company’s homepage or any other page where personal information is collected,” according to the law firm Gunderson Dettmer.
Still, platforms for automating the stewardship of personal data can eliminate weeks or months of tedious, error-prone manual processes, and the documentation they produce provides proof of compliance to auditors.
And that’s the way to go into the early days of CCPA compliance forewarned and forearmed.