|Disclaimer: No content herein by should be considered legal advice – consult your own legal counsel to determine your legal strategy.
GDPR and CCPA are just the beginning. Businesses should plan for more data privacy regulations to come in the near future.
It’s been over a year since the European Union’s General Data Protection Regulation (GDPR) took effect and more than 95,000 EU citizens have filed complaints related to their data privacy, mainly related to telemarketing, promotional emails, and video surveillance. This sustained focus on consumer data protection and privacy by consumers, combined with business’ ever-increasing reliance on personal data, past high-profile stories on unauthorized data collection and usage, and out-of-date data laws continue to spur more legislation and regulation across the globe.
The most recent bill, the California Consumer Privacy Act (CCPA), goes into effect January 1, 2020 and acts as the next major movement in the growing landscape of data privacy. CCPA affects large organizations (with annual revenues of $25 million or higher) that do business in California and gives Californian consumers (customers and prospects) rights, including:
- The right to know and access their personal information being collected.
- The right to know whether that info will be sold (and to whom).
- The right to say no to the sale of that personal info, and the right to request deletion of any personal info collected.
More information on the intent of the regulation can be found here.
With the clock ticking, businesses are rushing to come up with sound strategies to institute the operational capabilities necessary to comply with the CCPA and demonstrate adherence. Not only that, CCPA won’t be the last piece of data privacy legislation – in fact, it’s likely the first of many. Just like the E.U., consumers in the U.S. are looking for more transparency into and control of their personal data. In the absence of an overarching federal regulation, U.S. states are taking initiatives to pass their own individual data privacy laws, which will create a varying and complex compliance environment for businesses.
The smartest technology strategy in this shifting regulatory environment is to implement processes that immediately address CCPA requirements and can adapt and scale to support future regulation.
Don’t assume that you’ll be able to manually address all regulatory inquiries. One request could require data collection from a dozen different apps and systems of record, leading to a strain on resources. A simple ticketing system won’t be sophisticated enough to manage differing requirements unique to each state’s laws. And bespoke, customized applications are impractical from an enterprise systems management standpoint.
The best and most cost-efficient approach to future-proofing your compliance operations is to implement a single, cohesive technology solution that can orchestrate compliance processes while also allowing for specialization and modification as the regulation landscape changes. Essentially, businesses should consider a system to manage your systems. A digital platform that enables reuse, dynamic case management, process orchestration, automation, and audit capabilities provides the backbone for closing the gaps in your compliance technology strategies. It allows critical tasks to work in concert, helping business to initiate, track, report, and automate (when possible) on inquiries.
The ability to reuse components is also an important function in the various processes necessary for compliance adherence. For example, regardless of state or country of origin, data compliance regulations are likely to include baseline actions for collecting consent, accepting and tracking inquiries, verifying customer information, collating individual customer data from multiple sources, distributing data to a customer, and keeping auditable reports. By leveraging component reuse capabilities, businesses can build out common rules and processes, and then include additional rules and functions unique to each new regulation. This reuse capability helps businesses quickly build out differentiated closed-loop processes that can be managed from end-to-end.
Remember, CCPA and other data privacy regulations are customer engagement issues that can directly impact your revenue.
CCPA doesn’t only expose your business to risk. It also has direct impact on your bottom line. If a business does not comply with a verifiable request from a consumer within 45 days, it can face penalties for non-compliance – up to $7,500 per customer per violation (with no ceiling) – as well as $100 to $750 per consumer for each incident of unauthorized access and exfiltration, theft, or disclosure. And with each consumer having the ability to exercise their rights twice a year, your business could be on the hook for a significant amount of lost revenue. But the impact on revenue goes beyond regulatory non-compliance fines.
More and more, data – which was once an asset owned by the business – is becoming the property of the individual. And these new regulations give customers the power to decide how their individual data is used … or not used at all. That means a customer could decide they want a business to erase their personal data, making one-to-one marketing models and AI-based personalized engagement more difficult. Or a customer could completely lose faith and choose not to do business with a company ever again. This of course means a direct impact to customer lifetime value (CLV) and your business’ own bottom line.
In a Pega survey, 45% of consumers said that they would request complete erasure of their data if they found out a business was selling or sharing their data with a third party. In this new regulatory environment, the behavior of the business counts. Each customer engagement becomes an opportunity for a business to maximize the use of the data that they do have, reassure the customer that the information they are collecting is secure, and demonstrate that collected data is being used for relevant purposes.
Bottom line – use the budget and resources you have right now to take on the CCPA and get ahead of future regulations.
In this new regulatory environment that is already becoming increasingly complex, it’s likely that your business is already allocating budget, time, and resources to solve for the CCPA. But, don’t make the mistake of just solving for this one piece of legislation. When taking on the CCPA, the key to success will be getting the bedrock in place that will help you solve for risk and revenue readiness as well as address any legislation that comes next. Using this multi-dimensional approach, you will avoid having to reinvent and repurchase again. With a system that is built for variations and permutations, you’ll be able to achieve scalability across the enterprise.
If your business sets the right technology strategy, this new era of data regulation can become your opportunity to support future business, deepen customer trust, and drive revenue.
- Watch this PegaWorld presentation to get more detailed insights on planning for CCPA and other regulations.
- View our webinar on how to future-proof your CCPA strategy.
- Download the whitepaper, “CCPA: Risk, revenue, and reward,” for info on a cohesive strategy to address revenue growth in an environment of compliance.
- See sample case type configurations for CCPA and GDPR.
- Discover how digital process automation supports end-to-end management of complex processes.
- Read more from Jeff Nicholson on CCPA and shifts in the privacy landscape.