Countdown to CCPA compliance: Top 10 data governance tips

In just a couple of days, the new year will be upon us and the California Customer Privacy Act (CCPA) will be in full effect. This means, going forward, businesses that collect personal data from people who reside in the Golden State must now honor their requests to access, delete, and opt out of sharing or selling their information.


Sound familiar? That’s probably because your organization is already on top of it and has been dedicating its resources to preparing for the January 1, 2020 compliance deadline. If the CCPA is news to you, however, then I’d advise you contact your legal and IT departments immediately if you have any pressing questions.

Otherwise, this blog will serve as a refresher and highlight the main points about CCPA as well as countdown the top ten data governance tips that will make your CCPA compliance easier to follow for everyone in your organization.

Recap on the CCPA

Similar to 2018’s General Data Protection Regulation (GDPR), the CCPA will ensure Californians similar data privacy protections already offered to European consumers. However, this mandate also requires businesses to have the impetus to not only update their privacy policy protocols but to also cater to their consumers’ data privacy preferences and requests.

Who is affected

The CCPA applies to any for-profit entity doing business in California that:

  1. does business in the State of California
  2. collects, shares, or sells California consumers’ personal data (or does so through third parties)
  3. solely or jointly with others determines the purposes or means of processing of that data

Twenty-five-million-dollar club

More specifically, the CCPA targets larger businesses that fall into either of the following categories:

  1. generate an annual gross revenue in excess of $25 million
  2. annually buy, receive, sell, or share the personal information of 50,000 or more consumers in for commercial purposes
  3. derive 50 percent or more of their annual revenues from selling consumers’ personal information

Organizations affected by the CCPA are required to inform the consumers of how their data will be used. Not only that, the handling of consumer requests must be done in a nondiscriminatory way and the requested information must be delivered to consumers in a reasonable time and free of charge.

Bracing for impact

According to the California Department of Finance’s Economic and Fiscal Impact Statement, up to 400,000 businesses may be impacted. An estimated 9,776 jobs will be lost and the total statewide dollar costs that businesses and individuals may incur to comply with this regulation over its lifetime can around $16.4 billion.

As of July 1, 2020, enforcement of the CCPA which will begin and violations could result in millions of dollars of fines for companies. Civil penalties can range from $2,500 to $7,500 per violation, including up to $750 per individual California resident afflicted by a data breach or the cost of damages caused by the same.

Although the economic impact is significant, the benefits far outweigh the financial burdens as the regulations benefit CA residents because they implement the CCPA. They provide clear direction to businesses on how to inform consumers of their rights and how to handle their requests making it easier for consumers to exercise their rights. They also provide greater transparency on how businesses collect, use, and share consumers’ personal information (Pl).


The final countdown

Although consumer data is the focus of this new law, data governance is at the heart of ensuring that CCPA compliance is carried out effectively throughout any organization.

So, without further delay, here is the countdown of the top ten data quality tips that we hope will allow your organization to better adapt to CCPA compliance.

10. Align your data governance standards with your updated your Privacy Policy

In addition to making sure you Privacy Policy complies with CCPA rules, take the necessary measures to adjust your data governance practices to account for the increased information requests from consumers and compliance queries from auditors.


9. Know how to respond to requests for “who, what, & why” to their data collection

Make sure business users as well as IT teams know what happens to consumers’ personal data or personally identifiable information when it’s shared within the business. Define the policies for its users, such as anonymization and ownership.


8. Make the option to delete data easy for everyone

One of the biggest problems with data quality is when customer data is either duplicated in or missing from multiple data sources. Deduplication tools can help assure that when customers want to erase their records, it can be done effectively.


7. Use data lineage to track data processing history

History answers many questions. Tracking the “who, what, where, when and why” for your consumer’s data will make it easier to fill missing gaps and account for data breaches.


6. Keep your data mapping accurate through a data catalog

Organizations need to map data correctly to create and maintain a holistic data inventory of Personal Identifiable Information (PII) they have stored and processed. A data catalog will be helpful in when addressing requests from California consumers to access or delete their PII.


5. Data preparation is key  

With data preparation tools and machine learning, you can quickly identify errors, apply rules to massive datasets, reuse and share consumer data when requested. In a recent benchmark survey that questioned how well companies met GDPR compliance, one of the main reasons companies failed to comply was the lack of a consolidated view of data and clear internal ownership over pieces of data. The most effective way to resolve this data disparity is by having appropriate data preparation tools that prepare consumer data in such a way that it will be quickly and easily retrievable.


4. Honor opt-out decisions holistically and take customers’ new rights seriously

Giving consumers the option to no only access and delete their personal data but to deny a company the ability to sell their personal information to third parties are fundamental rights afforded by the CCPA. It is imperative that all systems within an organization reflect these decisions accurately to avoid penalties for its violation. Aside from facing steep fines, organizations risk losing their consumers’ trust and tarnishing their reputation. 


3. Appoint data stewards and a chief data officer

Enforcing the rules for data protection across all the systems cannot be done by a single person. Collaborative data stewardship that is empowered by self-service apps will be critical in successfully supporting this self-service approach and in fostering accountability across all stakeholders. Contrary to GDPR, the CCPA doesn’t mandate the naming of a data protection officer (DPO). However, appointing a chief data officer who is accountable for compliance and can act as the change agent to engage the rest of the company is key to successfully internalizing and complying with the new law.


2. Leverage APIs for efficient notice communication

A primary element stipulated in the CCPA is the presentation of a Notice to Consumers which informs consumers of the categories of personal information to be collected from them and the purposes for which the categories of personal information will be used. With the prevalence of mobile devices as a means of consumer interactions, this important notice can be most effectively served through API integrations with privacy policy programs.


1. Bring all the consumer data into a data lake

Bringing together consumer data from across disparate data sources into a cloud-based data lake will achieve a single source of truth where all consumer data can be referenced, reconciled and linked to their provenance. Big data management tools can help to populate it. Data quality tools can match disparate data from various sources. Data governance and stewardship can prepare, cleanse, de-dupe and create a 360 view of consumer PII for quick access, modification or deletion upon request.


The disruptive nature of this such law is a hallmark for US privacy laws; a first of its kind. Although GDPR did come first, the CCPA may well be the catalyst that leads to similar laws being written in the near future for the sake of privacy and in the interests of residents of other states and countries, as well.

To learn about how one of our partners was able to help their customer prepare for CCPA, checkout this webinar

Happy New Year!


For you Data Privacy, CCPA, and GDPR compliance needs, Talend has a solution fit for your organization.

Join The Conversation


Leave a Reply