The California Consumer Privacy Act (CCPA) plays an important role in data regulation globally. This regulatory system applies to any for-profit company that collects the data of consumers residing in California.
America’s GDPR: A guide for UK organisations on how to prepare for the CCPA
Though this was always bound to be a welcome instalment for online consumers, numerous amendments to it, since it came into force in 2018, mean that decision-makers need to keep track of this, as well as the rising amounts of data their company collects from customers.
“If you look in the United States alone, CCPA has just been released fairly recently,” explained Stephen Manley, chief technologist at cloud data protection firm Druva. “Because it’s a new law, it’s actually currently undergoing amendments, so it’s not what you’d call a fully stable law yet.
“It’s still being figured out, which is pretty common.”
Managing data in various locations
One major challenge that Manley says companies deal with when it comes to data management under CCPA, is dealing with consumer data that’s located across a number of devices and software infrastructures.
He explained: “I think the biggest challenge we see a lot of people having, is that they often don’t understand how many places are holding customer data.
“They were thinking very much about the data that they had on their premises, maybe things that are in file servers, databases, corporate laptops, that sort of thing, and it takes a while to then realise that they’ve got a number of SaaS applications, whether it’s Salesforce, Slack or Office 365.
How artificial intelligence and machine learning changed the SaaS industry
“We need to be able to get a hold of that data as well and cope with it, and in fact, you can then get into multiple layers, and there becomes a daisy chain of who actually is holding the data, and how you get a hold of that.
“That be a real challenge for a lot of organisations; because the CCPA basically gives you 45 days to be able to comply with any sort of request, being able to hit that SLA when you have to go through potentially multiple layers can actually be quite challenging.”
An opportunity for reflection
According to Manley, the companies that manage to succeed while staying within CCPA boundaries use the regulation as an opportunity to reflect on their operations.
“Regulations like CCPA are a good baseline for what your company should be doing anyway,” he said.
“For a lot of the better organisations, we see them saying that the goal isn’t just to hit the baseline, but it’s to use this as a starting point for discussion about what we want to be as a business.
“They use this as an opportunity to ask questions around what they’re doing around data governance as an organisation, what they’re doing around data security as an organisation, and what they’re doing around data protection as an organisation. So, that’s the first thing they do.”
Using security as a marketing tool
The security of customer information is a major focal point for companies when it comes to adhering to CCPA, due to the risk of being fined if customer information is breached.
Companies found to have intentionally infringed the regulations could be subject to fines up to $7,500, while $2,500 is the maximum for cases that aren’t found to be intentional.
Beyond IT: Combating cybersecurity breaches needs to be a company-wide effort
According to Druva’s chief technologist, however, having possession of adequate security will not only ensure compliance, but could also be used “as a marketing advantage for connecting with customers”.
He continued: “They think: ‘If we do a good job with this, this is something we should be sharing with our customers, that we treat them and their data and their privacy as something that’s fundamentally important to our organisation’,” he continued.
“If you can do that, let’s not just tick the box, but let’s use it as a way to get closer to our customers.”
Implementing evolution into company strategy
The third action that Manley says companies can take in order to use CCPA compliance to their advantage, is ensuring that they are ready to change with regulation amendments, while looking to other regulations within the United States for inspiration.
“There are multiple other states that are looking at similar laws, and the CIOs and CTOs are looking around and saying ‘Okay, this isn’t a one off, so what’s our legal strategy? How are we going to deal with the fact that we’re going to have to cope with multiple regulations in multiple geographies?
“The ability to adapt to new regulations quickly could actually become a competitive advantage. They look at how can how they can make that a strategy for the organisation.”