Although the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, the rules implementing and enforcing the law will not take effect until July 1. At that point, any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data will be governed by CCPA if it:
- Has annual gross revenues in excess of $25 million; or
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half its annual revenue from selling consumers’ personal information.
While data privacy regulations have focused on holding organizations accountable for breaches of their systems and the Personally Identifiable Information (PII) they hold, what has arguably received much less attention is the rights of consumers to enforce the privacy of their personal data under CCPA (and, of course, GDPR). Make no mistake: CCPA puts consumers in the driver’s seat.
A tenet of CCPA is that consumers should feel free to exercise their rights to safeguard their personal data. What’s more, consumers should demand that organizations remain transparent about the usage of their personal data: what information the organization holds, how it is being used, and who it is being shared with.
SRRs, or Subject Rights Requests, cover a defined set of rights where individuals have the power to make requests regarding their data, and where organizations handling this data must address these requests in a defined time frame – which, for CCPA, is 45 days.
Given the primacy of consumer data, organizations that collect personal information and are subject to CCPA, need to turn their focus to their obligation to protect the consumer data they hold, rather than fixate on avoiding fines or litigation. Still, Gartner cautions that “subject rights requests left unmanaged have the potential of becoming “death by a thousand cuts,” and costing organizations millions of dollars.”
SRRs come in three categories:
- Right to know: These rights focus on providing individuals with access to their data. This class of requests includes the most commonly sought SRRs, typically known as subject access requests (SARs) or data SARs (DSARs), where individuals seek to view what data the organization holds on them.
- Right to correct: These rights focus on allowing individuals to manipulate their data or their preferences. At the extreme, corrective rights allow individuals to delete their records.
- Right to object: These rights focus on allowing individuals to control how their data is processed. Under the CCPA, individuals have the capacity to object to the sale of their data to a third party.
Complying with SRRs requires that organizations establish a privacy management program well in advance of receiving SRRs. The goal is to “hit the ground running” and avoid becoming deluged by the flood on incoming SRRs – especially in the early days of CCPA.
And there’s another side to the importance of SRRs: a company can bring a high level of transparency to SSRs as a means of increasing customer intimacy and strengthening its brand image.
Remember that a structured approach to managing personal data and SRRs is critical, and keep in mind that every SRR must be met within 45 days. Here is a six-step process that sets the stage for success:
- Establish a privacy risk register, where the organization can log and validate repositories of personal data, calculate the risk of each entry and use it to prioritize remediation tasks.
- Divide the discovery exercise into two parts: one dealing with information currently held, and the other focused on new information that the organization is generating or appropriating.
- Ensure that new information introduced into the system has the metadata that would allow it to be tracked and managed properly.
- Capture, catalog and prioritize large repositories of personal data – such as HR data, CRM records, and customer care logs – as they represent risk to a large number of individuals.
- Enable your employees and partners to introduce new personal data repositories they discover into the existing privacy risk register. Doing so creates an iterative, crowdsourced process that maximizes the amount of personal data you can manage for any individual.
- Define consumer rights workflows and steps in detail. Automate consumer rights management with a data privacy compliance automation platform.
Even with a process in place, enforcing compliance remains a notoriously complex challenge. “A CCPA-covered business is required to respond to at least two requests from any individual consumer in a 12-month period, provide a toll-free number for consumer information requests, and prominently link to an opt-out page from the company’s homepage or any other page where personal information is collected,” according to the law firm Gunderson Dettmer.
Still, platforms for automating the stewardship of personal data can eliminate weeks or months of tedious, error-prone manual processes, and the documentation they produce provides proof of compliance to auditors.
And that’s the way to go into the early days of CCPA compliance forewarned and forearmed