This week, Microsoft announced that it will be implementing the upcoming California Consumer Privacy Act (CCPA) for all customers in the U.S.
This is a big deal.
The CCPA has sometimes been referred to as “GDPR-lite”, meaning that it’s a light version of the European Union’s General Data Protection Act.
CCPA is important because it represents the first real, comprehensive privacy legislation in the U.S. And because the CCPA applies to all California residents, any company that works with data from California residents will be subject to it. Finally, because this is both the first comprehensive privacy regulation and it’s in California, the odds are very strong that CCPA will form the foundation for other state privacy regulations in the future, and quite possibly any U.S federal privacy regulation.
Because of these reasons, it’s important for people to be aware of CCPA and start planning and taking action now, since CCPA comes into effect Jan. 1, 2020. Technology startups in particular should be aware of this because so many of them deal with customer data (almost certainly affecting California residents) but often don’t have privacy professionals or experts on staff.
As we know, ignorance of the law is no excuse. You may not know about CCPA but you may well be subject to it.
To help you get started figuring out what you need to do around CCPA, here are four tips.
Read the CCPA
No one enjoys reading legalese. That’s true for your customers with privacy policies. And likely true for you regarding privacy regulations. However, the CCPA is one of, if not the most important piece of privacy legislation in the U.S. There simply is no substitute for actually reading the CCPA yourself. Reading it will help you better understand and evaluate any secondary readings that you do on CCPA.
The full text of the CCPA can be found here.
When you read, you’ll find that CCPAA covers the following critical areas as outlined in the act’s opening:
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.
Also, the act provides for rights for Californians to seek damages in case of the loss or theft of their data. Quoting once again:
Any consumer whose nonencrypted or nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action[.].
Put plainly, this means if you are the custodian of data from California citizens and you suffer a data breach or loss, those Californians whose data is lost have the right to take civil action against your company.
This represents the first real GDPR-like set of penalty for data loss or theft. That alone makes understanding this act critical for anyone that holds data.
Know what data you’re collecting and retaining
It may sound obvious, but the reality is that many companies don’t actually fully know what data they collect and retain. This truth was recently shown in the first episode of Season 6 of Silicon Valley when Richard, the CEO of Pied Piper, learns AFTER testifying to Congress that his company doesn’t collect data that in fact they do (and a lot of it).
This is especially true in the world of startups where the focus is on building and business growth. Privacy has a reputation of being a business-slower and so many large and small companies simply haven’t engaged in a program of systematic examination of what data they collect and retain, how they store it and for how long.
This means the absolute first step in getting ready for CCPA is knowing what data you’re collecting and retaining. Even companies that have a handle on their data collection and retention practices should use this opportunity to review and refresh: things move fast and the information that you have around data collection and retention could well be out of date.
Have others in your company read CCPA and start planning how they’ll comply
As you undertake knowing what data you’re collecting and retaining, have others in your company read the CCPA and start planning how they’ll comply. This isn’t an obvious step: after all, the CCPA is privacy legislation and people tend to think these things can and should only be ready by privacy experts and lawyers.
While this is understandable, that’s not the right way to approach this. Understanding privacy requirements and regulations around data is something that everyone that touches data should understand. This helps instill a culture where privacy knowledge is integrated throughout. It also acts as a hedge for the reality that business often can’t get a full and complete view of all the data that they have and where it’s stored.
For example, if someone in marketing mistakenly sends a spreadsheet of customer prospect information to the wrong email address, that can potentially qualify as a data loss subject to CCPA penalties. Your executives, lawyers, and privacy officers may not be aware that happened. But that person’s manager may and if they’re educated on CCPA, they can recognize the risk that mistake poses and take proactive action which can help prevent more significant consequences.
Be like Brad (Smith)
Microsoft recently announced that they plan to implement CCPA company-wide so that it governs all U.S. customers.
This is consistent with what we’ve seen Microsoft do around privacy with other international regulations. as well as the vision that its president, Brad Smith, has outlined in his comments and his recent book “Tools and Weapons.”
In his book, when Smith writes about what Microsoft did to comply with GDPR, he describes a comprehensive company-wide process to understand what data the company collects and retains. He talks about how this process was ultimately beneficial for Microsoft because it helped them get a better understanding and control over their data collection and retention.
That comment speaks loudly about the business benefit of treating compliance with GDPR or CCPA in a broad and compressive fashion rather than trying to create a one-off system just to comply with the specifics of the law.
In addition to that benefit, following Microsoft’s lead and implementing CCPA for all U.S. customers has an additional benefit: as I noted before, since this is the first comprehensive privacy legislation in the U.S., the odds are strong that other legislation will mirror it. If you take the time to implement CCPA today for all US customers, you will be very well placed to comply with any future privacy legislation from other states. And most importantly, there’s already talk about the likelihood of any eventual federal privacy legislation following the CCPA closely. Once again, if you do this work now, you will save yourself and your company work in the future.
Privacy can seem to be a murky and scary arena for businesses, especially startups. It has a reputation of being very legalistic so that only privacy professionals and lawyers can navigate it.
The reality is that most technology companies, including startups, deal heavily with user data. And as the CCPA comes online in Jan. 2020, anyone that deals with data for Californians is subject to that law, without exception.
Fortunately, the principles of the law aren’t that arcane, and the law itself can be read fairly quickly. You can start to get ready for CCPA by following these four steps that I’ve outlined here. And if you approach this as a comprehensive project for all your U.S. customers, you can be well placed to deal with additional privacy regulations as they develop in the coming years.