Today marks the enforcement date of the California Consumer Privacy Act (CCPA). Business as usual can no longer be the norm, and the enforcement of the CCPA will compel organizations to reexamine their practices around existing privacy initiatives. The law imposes obligations around the collection, use and disclosure of personal information (PI) that organizations must address.
Moving forward with plans to enforce CCPA
On June 2nd, California Attorney General (AG) Xavier Becerra submitted proposed regulations for the CCPA. While there was speculation among the legal community on whether or not a timely final proposal would be delivered, the timing of the proposal came just one month before CCPA’s enforcement date of July 1st.
The move comes at a time even as organizations have asked for a delay in enforcement. Over 60 organizations heavily represented by trade associations and media groups sent a letter to the AG office, asking that the enforcement of CCPA be delayed for six months. The letter stated that the “public health crisis brought on by COVID-19 juxtaposed with the quickly approaching enforcement date for the CCPA places business leaders in a difficult position.” Many organizations have already had to adapt to the changing environment brought by COVID, including the government’s call for workers to stay home. The enforcement of CCPA introduces additional uncertainty to organizations already grappling with workforce shifts and changing revenue forecasts.
At the same time, it looks certain that a new privacy law may end up on the California ballot later this year that would replace the CCPA. The California Privacy Rights Act (CPRA) seeks to broaden the scope of privacy rights and strengthen the enforcement of those rights.
Organizations to demonstrate compliance
Whether or not CPRA becomes law, organizations are still obligated to comply with the requirements set forth by the CCPA. While sections of the existing law have yet to be clarified, what remains clear is that organizations are responsible for proving compliance. These requirements should compel organizations to establish protocols for handling consumer rights requests or, in the context of GDPR, data subject rights. Some of the more common rights requests are centered around deletion and access.
When organizations can demonstrate compliance by responding timely to consumer rights requests, positive public perception can increase and risks of penalties can decrease. After initial compliance measures have been taken, organizations will be better positioned to report on their compliance posture and produce a basic audit report, should the California AG or another enforcement body come knocking.
Supporting compliance efforts with Collibra Data Privacy
Organizations that have built a data governance foundation through Collibra can extend access and visibility of data, specifically metadata, for consumer rights requests workflows. Collibra’s Individual Rights Requests feature enables organizations to quickly respond to requests and maintain visibility into where PI is stored and how it is being used. The Individual Rights Requests feature provides an audit trail, allowing oversight of who, how and when requests were processed.
And more broadly, a data governance foundation not only helps with consumer rights requests, it also feeds pertinent data for business processes, PI classification, data mapping, risk assessments and remediation actions. Efforts, for example, to register business processes and classify PI can feed into future privacy workflows and address multiple regulations. Collibra Data Privacy is designed to help organizations reduce overall risks and save time.