Close
Close

CCPA: When a law hands you lemons

A practical perspective on CCPA in the technology sector

RFP
CCPA: When a law hands you lemons Some of the world’s biggest technology leaders are worried about what’s coming on January 1. That’s the day the California Consumer Protection Act (CCPA) takes effect.

CCPA has been on our radar since August 2018, because it seeks a sweeping change – it gives consumers the right to view and delete the personal data that companies collect about them. While the law only applies to California, most US companies will effectively apply the new standard nationwide rather than try to differentiate standards at the state level.

“It’s going to be very, very easy to wind up out of compliance with this law – and any individual can sue at that point. The individual fines may not be significant, but there could be a groundswell of litigation.”
Armand Hensen
Grant Thornton Controls Advisory
Managing Director
Technology companies have called CCPA expensive, distracting, and time-consuming, Fortune reported. But, “despite a major lobbying push by Silicon Valley, the effort has fallen short, which means come the new year, Californians – and all Americans, really – will begin enjoying a broad new set of privacy rights.” Grant Thornton Technology Risk Advisory Managing Director Armand Hensen said that “tech companies struggle with this because big data is big business for them – and many don’t have systems and procedures in place to comply with the new requirements.”

Indeed, CNBC reported that establishing new systems and procedures for CCPA “could cost companies a total of up to $55 billion in initial compliance costs,” including firms with fewer than 20 employees paying around $50,000. Hensen explained, “It’s a simple law, in essence, but to actually satisfy the requests for information is going to be hard. It’s going to be very, very easy to wind up out of compliance with this law – and any individual can sue at that point. The individual fines may not be significant, but there could be a groundswell of litigation.”

Now, US federal lawmakers are discussing the even tougher Mind Your Own Business Act, which NextGov reported “calls for senior executives who lie to the FTC to face between one to two decades in prison.” Privacy regulations appear to be a growing trend. In 2018, the General Data Protection Regulation (GDPR) established broad privacy and security regulations for the European Union. Now, US federal lawmakers are discussing the Mind Your Own Business Act, which NextGov reported “calls for senior executives who lie to the FTC to face between one to two decades in prison.”

As technology companies face the trend toward more privacy regulations, it could be time for the companies to turn these legal lemons into lemonade by taking a systematic approach that builds trust, flexibility and relationships over time.

Build trust Some of the biggest tech companies might still be lobbying against privacy legislation, but most mid-market technology companies need to focus on how they can contain the costs of compliance or even try to turn compliance into a positive for their businesses.

“If a company is looking for a positive, many should start by building trust with consumers,” Hensen said. Mozilla CMO Jascha Kaykas-Wolff recently echoed the need to build consumer trust in TechCrunch, saying that too many companies seem caught up in “collecting as much consumer data as possible – regardless of the actual value of that data, and regardless of our consumer’s best interests.” Kaykas-Wolff said that such approaches are “a farce,” and that “consumers are voting with their wallets and choosing to walk away from companies that don’t practice the values they preach. This is a trend that will speed up, not slow down.”

The lack of trust could indicate a market “white space” for technology companies willing to depart from the constant quest to monetize the most personal data. Instead, companies could connect to consumers by demonstrating compliance with CCPA and other privacy requirements, even finding ways to give users value from the collected data.

Recent research indicated that “organizations that are savvy with customer analytics outperform their competitors,” showing 126% more profit, 131% more sales and 186% more sales growth, reported Forbes. “By demonstrating an understanding of user concerns, early adoption of privacy requirements and a genuine effort to respond to information requests, a company could differentiate themselves from competitors who are still working against emerging requirements.”

Build flexibility To adopt CCPA, companies need to establish new processes. Unlike GDPR, which mandates specific security measures, CCPA doesn’t include system requirements. Instead, CCPA is only focused on giving consumers a voice in how their data is used.

“A system, in and of itself, wouldn’t be compliant or non-compliant with CCPA. But, how the company is using data – and whether they can retrieve and delete it – determines compliance,” Hensen said. “The commonality between GDPR and CCPA is that, in order to be compliant, you have to go through a data categorization and classification to understand what you have and where.” That’s the first step to prepare for processing consumer requests and notifications.

Some companies are likely to receive a lot of consumer requests for data, and “an ad hoc approach results in a slow response, exposing the organization to the risk of noncompliance.”
Derek Han
Grant Thornton Cyber Risk Services
Principal
Some companies are likely to receive a lot of consumer requests for data, and “an ad hoc approach results in a slow response, exposing the organization to the risk of noncompliance. As always, damages from data privacy violations can be severe financially and reputationally; with the breadth of CCPA, GDPR and anticipated new regulations, the impacts could be staggering,” noted Grant Thornton Cyber Risk Services Principal Derek Han.

To efficiently adopt privacy regulations, companies need to engineer compliance into both their systems and their processes. Han outlined how companies should establish a privacy program that includes four action steps, summarized as:

  1. Assess the data you have, to establish baseline policies and a data inventory.
  2. Build a privacy program that includes individual rights management, consent and preference tracking and breach liability reduction.
  3. Automate tasks that manage individual rights, consent, preferences, breach liability, data retention, data disposal, data mapping and third-party access.
  4. Monitor your program’s key performance indicators, reviewing the program annually and ensuring an annual audit to verify compliance.

“Incorporating these four steps into a holistic privacy program will help ensure that the program addresses escalating data privacy regulations and helps build customer trust in your organization through demonstration of care for their privacy,” Han said.

Build relationships Privacy regulations are a new reality for business, and a new opportunity to build more trust and better relationships with consumers.

CCPA effectively tells companies to start a dialog with consumers, requiring that companies notify consumers about when and what data is being collected, when it is shared with a third party, what is shared and why. Of course, companies also need to open a door for consumers to start a dialog, to request information, request deletions or change their preferences. In the future, the dialog could expand to transactions where consumers monetize their own data. In fact, CCPA makes a provision for companies to pay consumers for the collection or sale of their information.

It’s hard to say how data privacy will evolve from here. But CCPA is one sign that technology companies need to adopt a new perspective on privacy. By taking a systematic approach that builds trust, flexibility and relationships, companies can turn these recent legal lemons into brand-building lemonade.

Contact:
Armand Hensen
Managing Director, Technology Risk Advisory
T +1 212 542 9717