California is taking the lead in the US on privacy regulation with the adoption of the California Consumer Privacy Act (CCPA). Security and privacy professionals whose companies have consumers in California must get their implementation plans together now. Those that believe that CCPA is not their problem must think again: This is likely to be the first of many state-level privacy requirements. And this is just the beginning. Our data shows that compliance with global privacy laws is one of the top three challenges CISOs face, on par with the changing threat landscape. As you approach CCPA, consider that:
- CCPA is fast-approaching. The bad news: California will begin to enforce the requirements of the California Consumer Privacy Act in January 2020, which is in less than one year’s time. The good news: Your existing GDPR can be repurposed to comply with the CCPA.
- The CCPA is California’s answer to GDPR. There are a handful of similarities between the two regulations, starting from a common definition of what constitutes personal data. Both sets of rules provide individuals with more control over their personal data and with a range of stronger or new privacy rights. Both also contribute to increase consumers’ awareness of their privacy rights and drive behavioral changes.
- Consumers are embracing CCPA already. Increasingly data-savvy consumers will vote with their wallets and choose to do business with firms that uphold their standards of personal data protection. Do not simply play catch-up when new privacy regulations are released; include privacy as a broader corporate value. Several organizations have embraced privacy as part of their corporate social responsibility, as we discussed in this report, “Commit To Privacy As A Corporate Social Responsibility.”
If you are thinking that you don’t need to rush with your preparation, consider this: The enforcement of many requirements of the CCPA demands companies to look back 12 months. For example, let’s say that on January 1, 2020, one of your customers wants to know what personal data you hold about her. To address that request, you must look at the data collection and processing activities for the 12 months previous to that request — back to January 1, 2019. We identified five key steps that companies should take today to make sure they are ready on time. Firms that are GDPR-compliant will find these milestones somehow familiar. In fact, security and privacy professionals must repurpose their GDPR programs to comply with CCPA and address privacy globally. This report outlines the main steps companies must take today to kick off their preparation for CCPA.
For more information on repurposing your GDPR program to comply with CCPA, see our new report, “Tackle The California Consumer Privacy Act Now.”
(Written with Elsa Pikulik, senior research associate at Forrester)