Don’t panic at the prospect of being held accountable for the consumer data you collect, manage, store, or share. But, don’t ignore the law, either. It’s the leading edge of the data privacy and transparency movement that is spreading across the United States and might someday lead to federal legislation. (More on that later in this post.)
Here are 10 steps to take to adjust for CCPA.
1. Treat every customer as if she/he is a California resident.
We hear from many marketers that they don’t have location data on their customers, so they don’t know who’s covered by the law. Our response: Treat all of the people as if they’re from California, especially because many other states are passing similar laws.
Typically, we have found that companies have more information than they realize. Look for information such as when, where, and how customers opted in; IP addresses; web form locations; and other data that their behavior generates––as well as any preference data-showing location.
2. Add an opt-in form that can serve up different versions to accommodate local requirements.
For example, a form could request each subscriber to indicate country of residence. The form could present a request for an explicit opt-in from residents who say they live in EU countries, Canada, or other places where data laws require a positive action.
Or, revise the opt-in form to require an explicit opt-in from every subscriber (e.g., an unchecked checkbox that says “Yes, please send me email messages from your company”).
3. Map data.
When we work with clients, we look at how they map their data. A marketer might use a WordPress site to collect data, or an ESP web form. It will synchronize information from the CRM system over to their ESP or marketing automation program.
We will then analyze and map the data from the CRM to a billing system. Knowing how they map information and where it goes helps companies comply with the law’s “right to be forgotten.”
4. Create a Privacy Impact Assessment (PIA).
A PIA helps companies understand where their data flows and how they map the data. We work with companies, clients, and prospects on data mapping and PIAs. They reveal vulnerabilities and compliance gaps with CCPA.
As part of this process, we look at multiple databases, products, and applications, and how they collect, share, sell, and grant access to consumer or customer data.
5. Review third-party contracts and vendors.
People often overlook this area in data and privacy compliance. Lots of marketers have third-party contracts with vendors to store data in their data centers or share their data for surveys or analytics.
We look at those contracts to see what the vendors are doing with the data. Review all contracts now to see if the third-party vendor is up-to-date with CCPA’s provisions. Use this information to decide whether or not it would cause trouble to give data to that vendor.
6. Create an in-house privacy/compliance roundtable.
The marketing department isn’t the only one that has to comply with CCPA, GDPR, CASL, and other data laws. Take the lead, and bring reps from Marketing, Sales, Legal, Privacy, and IT to the table so everyone can learn about the law, share information, and understand how other departments collect, store, and share data.
Make each member of the roundtable responsible for one part of the process: locking down the database, updating data-collection forms, or changing data acquisition processes. All participants should be assigned certain responsibilities and told what specifically they need to recommend for compliance.
7. Seek allies in IT to get in front of a data breach.
For many companies today, data breaches aren’t a matter of “if they happen” but “when they happen.” No matter how carefully a company safeguards data, always prepare for the worst.
Marketing and IT often have a contentious relationship. But, if a breach happens, these two departments will be the company’s first line of defense in complying with legal notification requirements.
Know how the data is being watched. Monitor log files, watch third-party systems for breaches, and be sure everyone on the privacy roundtable knows the procedure and whom to contact if the unthinkable occurs.
8. Find out where the needed information is located.
Assign this function to members of the privacy/compliance roundtable. Functions can include tracking down and listing locations and people responsible for policy and procedural manuals and for databases of consumer information, whether they’re on-site or stored in cloud-based systems.
9. Prepare for the “right to be forgotten.”
This section of the law allows California residents to request that companies delete certain categories of their personal data and requires them to notify residents that they have that right. A similar provision is also a key element of GDPR.
But, as noted earlier, companies can retain some personal data that falls into protected categories. Know what data you are entitled to retain and how deleting data that is eligible for removal could interfere with business processes or databases.
Then, create a process to handle these requests.
Adopt a multiple-channel approach. Allow consumers to contact you by phone, in person, via email, or through a web form. Create a guide in both print and digital formats to explain the law, the consumer’s rights, and how to request removal.
Don’t forget customer-facing teams, either, including the customer-support and in-store personnel. Write and test scripts to handle questions, concerns, and complaints.
To provide transparency, use guides and scripts to explain procedures and how long it will take to remove the data. Run everything past the legal, compliance, sales, and IT reps on the privacy roundtable to make sure everything is accurate.
10. Stay tuned for changes, updates, and new legislation.
We’re keeping our eyes on CCPA and other laws, including amendments that could change the law’s definitions, requirements, and scope. See the next section on potential changes, and sign up for blog updates to get the latest news.
Also, contact us to see how we can help audit your data gathering and management practices to reduce exposure to violations. Our experts can create a Privacy Impact Assessment Report and assist in an overall gap analysis.