Is CCPA just the tip of the iceberg when it comes to regulatory compliance in the US?

Posted by

Compliance, Thought Leadership, Respond

 

In place since 1 January 2020 and enforceable by California’s Attorney General since 1 July, the California Consumer Privacy Act (CCPA) is regarded by many as just the tip of the iceberg when it comes to data protection regulations in the USA. So far, it’s the country’s most comprehensive privacy law, one which many predict will form the blueprint for other states to issues their own laws.

New York, Illinois and Washington are thought to have draft laws in the pipeline, while some other states already have sector-specific privacy laws in place. While some businesses are calling for federal privacy legislation, building upon the progress made by California, in light of the current pandemic and the recent presidential election, we’re unlikely to see any comprehensive bills coming out of Washington any time soon. However, with the CCPA now up-and-running, and the California Privacy Rights Act (CPRA) set to come into effect on January 1, 2023, surely it’s only a matter of time before other states follow suit?

Different requirements

While multinationals such as Microsoft are extending CCPA privacy rights to individuals across the US, this doesn’t mean that it will be automatically compliant with any future data protection legislation that might appear. For those businesses who think that CCPA compliance means guaranteed compliance with all data privacy legislation, they need only look at Europe’s General Data Protection Regulation (GDPR) to see that although inherently similar, there are distinct, important differences to be understood.

For one, the CCPA extends the reach of GDPR beyond an individual’s information to include any information which can be linked to, identifies, describes or relates to an individual or household. Also, GDPR upholds the ‘right to rectification’, something the CCPA doesn’t cover. So, to think that compliance with one set of regulations guarantees compliance with a similar law, is a common misconception.

What data privacy laws do have in common though is the multiple rights requests that lie at the very centre of the legislations, empowering consumers to protect their own data, as well as the option to opt-out where necessary. For businesses, this prompts the need to manage, log and process all requests, not to mention the effective, secure and comprehensive management of the very data these laws are designed to protect. Not only do businesses need to guarantee these fundamental rights for consumers, but they need to do so in a way which is transparent and fully auditable, to protect customers and to protect businesses, too.

Preparation is key

So how can businesses prepare for whatever shape future legislation might take? Diligence with record-keeping is key, keeping track of every customer interaction and every piece of information that results from that interaction. At the same time, security of this information is vital, as is the ability to search the data. Accurate, transparent and comprehensive reporting capabilities are a must if businesses are to have any hope of fulfilling customer rights requests, alongside the ability to demonstrate to the authorities just how you’ve achieved compliance. In this regard, many businesses are turning to complaint management systems for help, with such technology underpinning the robust, secure and auditable management of all customer information.

None of these processes and functions are mandatory under any existing data privacy legislation, but having full visibility and auditability across all consumer data forms the solid foundation of compliance with all data protection requirements. It’s only with this level of data management that businesses can have any hope of achieving compliance, particularly when you consider that compliance requirements are only set to become more stringent.

Mutually beneficial

While legislation such as the CCPA sets out to protect consumers, ensuring compliance is of great benefit to businesses, too. It demonstrates a commitment to customers, which has obvious benefits in a world where customer loyalty is ever-dwindling, and protects the business itself, ensuring a culture of transparency and data security which transcends any optional measures an organization might choose to implement.

As businesses become increasingly data-driven, the effective and secure management of this data is key. It’s no longer a case of if but when new data privacy laws will appear. Those businesses who put the framework in place for compliance now, implementing best practice and robust systems to protect consumers, will steal a march on the competition. Getting your house in order when it comes to consumer data simply must be a priority for businesses today. If not, they run the risk of falling foul of both the law and transient customers who will be all too willing to take their business to organizations where consumer data privacy is a number one concern.

For more information on how Aptean can help with data privacy compliance, contact us, we’d love to talk.