Our panelists, Lauretta Lu, Privacy Counsel, LiveRamp; Tim Geenen, GM of Privacy & Consumer Experiences, LiveRamp; and Justin Antonipillai, CEO, WireWheel; along with moderator Alison Brunelle, Director, Privacy & Consumer Protection, PwC, share some CCPA basics and the role technology plays in compliance strategies.
When the California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, companies must have data workflows and technical solutions in place to manage consumers’ new rights under the law. These include, but are not limited to, the right to request access to the actual pieces of data collected, the right to request an opt out, and the right to deletion. Accurately and at scale, these rights are difficult to manage without technology, a reality many companies may not be aware of.
To discuss how the law came about and the potential impact the exercising of these rights have on affected companies, we recorded an on-demand webinar titled Preparing for the CCPA, part 1: Understanding the CCPA’s Impact on Your Tech Stack. Read three takeaways from the webinar below or watch it here.
CCPA Came about Due to Growing Awareness of Data Misuse
The CCPA was proposed and passed in response to growing awareness of how consumers data has been mishandled, according to Lauretta Lu, Privacy Counsel at LiveRamp. She cited Facebook’s Cambridge Analytica scandal, which played a part in landing Facebook with a $5B FTC fine, and Google’s $22.5M FTC settlement over misrepresenting cookie tracking on Safari Internet browsers, as headline-grabbing examples.
Alastair Mactaggart, a real estate developer and investor, was personally motivated to take up the cause, and in essence created the CCPA when he learned from a Google engineer that most people have no idea how much data companies have collected on them. This spurred him to coauthor the 2018 ballot initiative that was quickly passed as the California Consumer Privacy Act (CCPA).
Scoping Technical Requirements begins with Vendor Analysis
The definition of personal information under the CCPA is broad. Companies may be unaware of how much consumer data they collect, store, and activate that will be covered by the CCPA after January 1, 2020. “What a lot of companies don’t understand is how many elements can contain personal information on either a website or an app,” Tim said. He went on to share that the CCPA definition encompasses both individual and household-level data and identifiers within cookies.
As such, identifying the third-party vendors that use CCPA-defined personal information on your company’s website and app is a good first step in understanding whether or not a technical solution is needed to manage opt-out requests. Moreover, it’s a good “clean up exercise,” as Tim called it, to remove forgotten scripts lingering in the background for more than a decade.
Individual Requests are Not Just about Taking, but Holding
Fans of Seinfeld may recall Justin’s favorite episode when Jerry’s rental car was given away, despite the fact that he made a reservation. The company “took the reservation, but didn’t hold it.” This parallels the requirements under the CCPA, as companies must not only be able to take individual requests for opt outs, deletion, and access, but also follow through with them.
In the case of access, it’s important that companies can “get information back to consumers in a nice, safe, and secure way,” as Justin put it. Without CCPA-compliant workflows and technologies, this becomes a difficult endeavor that could even turn into a privacy violation. To watch the full webinar, click here. If you’re in a CCPA-preparing mood, follow that webinar viewing by watching its sequel, Preparing for the CCPA, part 2: How to Manage Permission and Access Requests, which details the LiveRamp Privacy Manager and WireWheel joint solution for managing opt outs and data subject access requests.