To help organizations prepare for CCPA – which goes into effect on January 1, 2020 – compliance connoisseurs Jim Halpert of DLA Piper Global Law Firm and Jeffrey DiMuro of Salesforce share tips, best practices, and critical information about the Act in the webinar “Get Ready for CCPA — Don’t Just Survive Data Privacy Compliance, Learn How to Thrive.” Halpert, who serves as Partner and Global Data Protection, Privacy, and Security Practice Co-Chair, and DiMuro, Chief Security and Compliance Architect, cover CCPA core rights, GDPR vs. CCPA, privacy features in Salesforce, compliance best practices, and the future of CCPA. This post highlights five key details from the webinar you should know about data privacy compliance for CCPA and beyond.
1. CCPA provides consumers with a new range of core rights
To increase transparency and offer more control over personal data, CCPA provides California consumers with a basic set of core rights:
- Right to know what personal information is collected
- Right to opt-out of the sale of personal data
- Right to access collected personal information and request its deletion
- Right to know if personal data is sold or disclosed
- Right against discrimination for exercising rights under the Act
These rights are designed to expand transparency regarding data collection, usage, and disclosure. The right to know, for example, provides consumers with additional information about disclosures and sales. CCPA’s broad definition of a “sale” includes any form of monetization of personal data. Because the definition is so broad, organizations must map their data in order to be able to respond to consumer requests like opting-out of the sale of personal information.
Consumers could opt-out of many forms of disclosure, but CCPA’s broader set of core rights apply to many more types of data than other privacy regulations. Information that’s associated with a household – such as a home router with an IP address – or an individual, counts as personal data.
2. GDPR compliance does not equal CCPA compliance
The EU’s General Data Protection Regulation (GDPR) protects consumer data privacy for European Union residents. If your organization has a GDPR compliance program, it might help you kickstart CCPA efforts. However, just because you’re GDPR-compliant doesn’t mean you’re CCPA-compliant. In fact, most control processes designed for GDPR don’t fit CCPA because the regulations have different scopes, exceptions, definitions (including differing definitions of devices, household information, publicly available information, health and financial data), data subject rights, and privacy notices.
While CCPA’s data subject rights like access, deletion, and data portability are similar to GDPR, the way that you verify requests is very different. Unlike GDPR, CCPA provides explicit coverage of devices and household information; if you can associate a device or internet activity with a house of multiple individuals, that’s considered personal data because the individuals all live in the same household. CCPA also offers exemptions for publicly available information, which doesn’t exist under GDPR.
Mapping to GDPR alone is not sufficient for CCPA compliance – for example, any commercial agreements you modified to comply with GDPR will need further amendment for CCPA to include specific terms to avoid qualification as a ‘third party,’ facilitating cooperation in responding to deletion requests, and more.
CCPA is quite unlike any previous U.S. laws and deviates even from GDPR. Complying with GDPR provides a strong head start on CCPA compliance, but it’s not enough to fulfill all the Act’s requirements.
3. Certain industries with other data privacy regulations are allotted exemptions to CCPA
For many American companies, complying with CCPA and meeting other regulatory requirements like the Gramm-Leach-Bliley Act (GLBA) for financial services is challenging. And financial services companies that normally have a GLBA exception don’t necessarily have that exception with GDPR. CCPA, however, says data that is processed, sold, collected, or disclosed pursuant to GLBA is exempt – so if you’re a financial services company that has acquired customers, their data may be exempt from CCPA.
You’ll have to build a data mapping inventory to understand what information is regulated by GLBA and is therefore exempt. B2B interactions are not regulated by GLBA, but a GLBA written moratorium makes the endeavor a highly data-specific exercise, which calls for a curated data inventory. Data mapping is critical, and CCPA’s broad rights – broader than GLBA’s – mean that even companies with established privacy requirements will need to make changes to meet compliance.
4. Salesforce offers governance features for data privacy compliance
Organizations store a vast amount of data in Salesforce, much of it sensitive and personal in nature. Fortunately, Salesforce prepared for GDPR and future regulations like CCPA by introducing native data classification capabilities. The platform’s governance and privacy options can help facilitate regulatory compliance with laws like CCPA since the controls are centered primarily around data collection, usage, and tracking. To comply with privacy regulations, organizations must know their data extremely well, which requires data mapping.
With CCPA’s increased transparency on business’ data collection methods and disclosure practices, data mapping is becoming more essential for organizations. To understand what data you’ve collected from consumers, Salesforce’s data classification capabilities offer a simple way to organize and track information. Data classification and consent tracking are two useful ways to categorize information that are native to the Salesforce platform. With these features, businesses can see where their data is, who has access to it, and whether consumers have opted out.
Data classification and user entitlements
Data classification helps organizations understand data through mapping. Before you can classify data, you need the appropriate data taxonomy. Classifying any existing, unclassified data in Salesforce is important because it will determine which users have the entitlements to access that data based on the consumer’s consent. A robust data inventory is foundational – you must know why you have specific data and who should have access to it. Understanding why you’ve collected certain data makes it easier to trace your efforts to specific compliance requirements. For example, if you’re going to qualify for an exemption, you must track the data to know if it was acquired by a regulated part of your business.
Once a taxonomy is established, you can assign privileges to users. Entitlements are dynamic – you can’t “set it and forget it,” because new data enters the platform, employees change job roles, and new customers join your organization all the time. And while creating entitlements is one of the first steps, it is by no means the last – it begins the feedback loop of continuously assigning users privileges and reviewing assignments to ensure the right people have access to the right data at the right time.
Consent tracking – evolving robust models with simple interfaces
To complement the data classification features, Salesforce also provides four detailed layers of consent for tracking purposes:
- Layer 1 – The Individual. What has the consumer consented to at the broadest level? This allows organizations to understand if a consumer initially gave consent and whether they have a legal basis for processing and storing the consumer’s data.
- Layer 2 – The Channel. The channels through which the consumer wants to be reached – email, telephone, social, or SMS, for example. Each individual channel has an opt-in or opt-out selection.
- Layer 3 – The Contact Point. What addresses does the consumer want to be reached on? This could be a specific address such as a home email, a work phone number, or an @ handle on social media. This level also provides an opt-in and opt-out for specific addresses.
- Layer 4 – Purpose. For what purpose or subscriptions does the consumer provide consent? This includes the purpose for data use like billing and programs, which correlate to consent levels two and three.
A consumer might say to a bank: “It’s okay to email me if you’re sending my latest bill or invoice, but if it’s soliciting a new mortgage, then no, I don’t want you to contact me.” With the consent tracking features, a bank can specify what that specific consumer wants regarding communication and consent. Using Salesforce’s classification and consent tracking, organizations can better manage data privacy compliance.
5. Following compliance best practices is a simple way to align with CCPA and other privacy regulations
To prepare for CCPA, it’s important to take basic steps like publishing compliance notices and adding an opt-out page to your website. Best practices like these can ease your organization’s data privacy compliance. For CCPA in particular:
- Know where your data is. If it’s in a cloud environment, manage it using the tools the cloud environment provides.
- Encrypt or redact your data. Without doing this, if there’s a breach and you must provide notification, you risk a class action waiver.
- Systematically monitor and analyze users’ access to data. Application audit logs track user activity so you can see what privileged users are accessing what data, helping you fulfill CCPA requests and preventing privacy breaches.
- Track and respond to opt-out and opt-in requests. If you’re “selling” personal information, you need to offer all users the ability to opt-out of sales of their data. Data mapping can show the difference between when data was sold or if it was just transferred to a service provider, for example.
- Offer two ways for consumers to make requests. CCPA requires multiple avenues for consumers to opt-out of sales of their data.
Adhering to general data privacy best practices means you’re not only more likely to be fulfilling regulation requirements, but you’re also establishing a reputation as a proactive leader in the privacy movement, fostering trust among customers. In general, your organization should:
- Only collect the data it needs.
- Offer transparency by gathering consent.
- Know the location and purpose for the data collected.
- Implement access controls through CRMs such as Salesforce.
- Establish robust data security with user activity monitoring.
- Develop an internal compliance taskforce.
- Utilize the cloud platform’s built-in tools to simplify privacy efforts.
- Apply the principle of least privilege – the more people who have access to data, the greater the risk there is of a breach, compromised credentials, or privileged user abuse.
The bottom line? Understand the legal compliance requirements, understand your data, make sure it’s protected, make sure it’s entitled appropriately, and know how you’re using the data.
6. CCPA is going to change
CCPA is a moving target – during the coming months, we may see new requirements, amendments, moratoriums, exemptions, exclusions, or clarifications. Even the next few years will likely bring new initiatives to change details such as fines or enforcement procedures. There are already initiatives underway that will be on the Fall 2020 ballot in California.
As CCPA continues to evolve, remember that compliance is a journey, and January 1, 2020 isn’t the finish line. Your organization will need a flexible information management strategy to respond to future requirements. Along the way, other states like Maryland and Massachusetts will likely create their own versions of CCPA, which can affect your privacy management even further. Instead of playing whack-a-mole trying to keep up with new legislation, create a program that addresses your current legal requirements and leaves room for the addition of future outliers.