Remember back in 2018 when something called the General Data Protection Regulation (GDPR) made everyone click a notice on every website? People got annoyed and made jokes, but the law was a huge step forward for data privacy advocates and consumers around the world. For the first time, every company that did business in the EU was required to take financial responsibility for the personal information they collect. It was, and is still, a big deal.
It was only a matter of time before other regions passed their own data privacy bills. We still don’t have a federal law on the books in the U.S., but state governments have picked up the slack — starting with California. The California Consumer Privacy Act (CCPA) went into effect this year, giving consumers better rights and control over their personal information. As of July 1, the California Attorney General can enforce CCPA and bring legal action against any company that does business in the state.
As California goes, so goes the rest of the country. Nevada and Maine have new data privacy laws, and several other states have proposed legislation. California is also working on CCPA 2.0 that would more closely resemble GDPR.
The current CCPA law says that consumers have a right to know what personal information is being collected and who their information is being shared with. The consumer also has the right to access the information and request that it is deleted. They can also opt out of the sale of their personal information.
Putting a data management framework in place that can accommodate these requests is easier said than done — yet, it has become an essential business function. Failure to comply could result in heavy fines, disruption to normal operations and compensation for individuals whose information was compromised. We’re only six months into CCPA going into effect, and there are already several class action lawsuits being litigated that allege companies’ failure to implement adequate security measures has led to data breaches. Hanna Andersson, Minted and Walmart are all the subject of existing litigation in the state.
To put an effective data management framework in place that complies with CCPA guidelines, here are five best practices:
1. Create and maintain a data map.
Your data map must indicate what personal information is being collected, why it is being collected and where the information is stored. It also needs to identify any third-parties that have access to the personal information and why. Companies can do this by incorporating data privacy directly into vendor onboarding to ensure proper safeguards around the personal information you will be collecting and/or transferring. This is also a good time to get appropriate contact terms in place to limit what the third party can and cannot do with the personal information and require the third party to adequately protect such information.
2. Keep privacy policies updated.
Consumers need up-to-date, real-time notice about what, how and why their personal information is being collected or shared. Failure to update public-facing policies within a reasonable time frame can open you up to liability.
3. Be responsive.
Customers must be able to contact your company about their personal information and get a complete and accurate response . Because laws like CCPA require companies to respond within a certain timeframe, putting a standardized process in place and training employee son the proper procedures is critical.
4. Demonstrate security and compliance.
We’d like to think that every company has a robust security solution in place to protect personal information, but having a plan isn’t always enough. You need to make sure you can prove compliance. This assurance can often be provided through third-party audits or reviews, such as ISO 27001, SOC2, CMMC, or FedRAMP.
5. Clean up your data.
You don’t want to be on the hook for exposing data that isn’t even an asset to your company. Regularly review the personal information you’re storing and get rid of any information that you don’t need and aren’t required to retain for compliance reasons. The risk is just too great.
Make sure your company understands the data privacy laws its subject to and reviews its current policies and practices. Following these best practices can shield you from data privacy lawsuits, prevent a public relations nightmare and insulate your brand from the damage a breach can bring. It’s all about customer trust — trust that you are being responsible with their personal information. Most importantly, however, data privacy is just the right thing to do. As the world continues to undergo digital transformation and every aspect of our lives goes online, we all need to take responsibility for protecting each other and our personal information.