When the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, it will codify what we’re seeing globally: a new emphasis on the rights of consumers to own and control their personal data.
Keep in mind that by addressing CCPA, you’re also formulating a new privacy journey for current and prospective customers; one that will impact consumers in California, as well as those in other states and around the world.
Don’t get so engulfed in CCPA compliance tasks that you neglect to realize opportunities for building consumer relationships in a privacy-centric future. From day one, your company should seize CCPA as a chance to demonstrate responsible data stewardship and build consumer trust.
Let’s take a look at how you can tackle compliance and use privacy leadership to strengthen your brand now and in 2020.
By January 1, make sure you’ve done the essentials
The first question to ask yourself: Have you given consumers the ability to exercise their privacy rights?
Prepare your website to accept SRRs
From every page of your website, consumers should have an easy way to tell you “hey, don’t sell my personal info,” “send me back all the info you have on me,” or “delete my personal data from your systems.” If your company has an offline presence, you’ll need to provide a phone number for consumers to do the same.
This is the bare minimum you should have in place to show consumers that your company is addressing critical privacy issues. Other websites will have this basic privacy language, and if yours doesn’t, it will stand out like a red flag. Keep in mind, this is the very first interaction that consumers will have with you on their data privacy journey with your company, so make it a positive one.
Get processes in place to fulfill SRRs
Now is also the time to solidify your basic processes for accepting, verifying, tracking, and responding to Subject Rights Requests (SRRs). You’ll need a system in place to keep track of all the SRRs you’ve received, their status and the approaching deadlines.
Make sure you can automatically build and check suppression lists when consumers opt-out of the sale of their data, including cookies and other tracking technologies.
Consider the technical elements and how you’ll rely on colleagues and third-parties to fulfill requests. Make sure people know what will be expected of them and which systems they’ll need to access when the first requests come in. Do it now so you’re not scurrying when the first deadline looms for providing consumer data.
Breathe a small sigh of relief
You won’t be required to hand over any consumer data in January 2020. CCPA gives businesses 45 days to respond to all Subject Rights Requests (SRRs). If a consumer submits an SRR on January 1—the earliest possible date—you’re not required to get back to them until February 14. If you’re unable to do so within 45 days, CCPA allows you to contact the consumer to let them know you need an additional 45 days.
SRR fulfillment begins in February 2020
February 14 is the soonest you’ll need to respond to any SRRs. From this date onwards, you’ll need to show all the SRRs you’ve processed and provided back to consumers and on to third-parties. You’ll know how many SRRs you received since the start of the year and you can use that as an indication of the volume of SRRs you can expect in the months ahead.
Review and refine the consumer privacy journey
If you were in a rush to set up your “opt-out” web links and phone number at the end of December, in the New Year take a closer look at the consumer journey you’ve created. Ask yourself:
- Is the process easy and intuitive, and does it use clear, human language that consumers will understand?
- Have you informed consumers how you’ll keep them updated on the status of their request?
- Have you ensured consumers that their request and their personal data will be handled securely during every step of the process?
- Is your privacy messaging consistent with your company’s overall approach to consumer privacy?
Plan for extended deadlines
If you informed any consumers that you needed an additional 45 days to fulfill their SRRs, you’ll start reaching those extended deadlines as early as March 30. By then you should have a good idea of the volume of SRRs to expect for the rest of the year. You can plan for a 45-day fulfillment cycle for SRRs and you’ll know if and when you’ll need to rely on an extra 45 days.
Enforcement begins July 1, 2020
The first half of 2020 is your warm-up, or trial run, for CCPA. The Attorney General of California starts enforcing CCPA compliance on July 1. By summer you should have your consumer privacy journey clearly mapped and documented. If regulators decide to check on your compliance, you’ll be able to point to any interaction along your consumer journey and show how it exemplifies your company’s utmost respect for data privacy.
What’s next for your privacy program in 2020: Evaluation, automation, and evolution
Even if you’ve checked all of the boxes for CCPA compliance, your privacy journey is not over. Your consumer privacy program will continue to mature throughout 2020 and beyond as privacy laws and consumer expectations evolve.
Here are some critical areas where you’ll want to shore up your privacy program in the second half of the year:
- Continue to scrutinize consumers’ privacy needs and your company’s communications to ensure that the journey builds trust in your brand.
- Analyze the requests you’ve received to understand which represent the highest privacy risk, which take the longest to fulfill, and which require additional follow up or workflows.
- Adjust your processes for evolving privacy laws. They may have different requirements and deadlines.
- Evaluate how well your vendors and partners have been able to adjust to new privacy expectations and data requests. Add additional review steps to your relationships and processes and, if necessary, end relationships with third-parties that aren’t meeting expectations.
- Look for opportunities to streamline your processes and automate repetitive tasks to help your team become more efficient. This could entail building workflows with pre-configured questions, continually capturing information about your data stores, or integrating with enterprise systems that impact consumer data.
- Consider implementing a platform that automates the process of deleting customer data in internal SaaS systems and notifying vendors of opt-out or deletion requests.
- Create reports and required documentation that you can share with executives, regulators, and anyone who needs to see the details of your privacy program, including systems and processes you’ve assessed and actions you’ve taken.
As your consumer privacy program matures, remember that you’re dealing with real people with real concerns about the privacy of their data. If you treat them with respect during every step of their privacy journey, you’re likely to see genuine benefits for your business.
WireWheel is here to help you launch a privacy program quickly so you can meet CCPA requirements and make sure you have everything you need to grow your program at your own pace. Learn more about our CCPA compliance software and request a live demo today.