Is your data toxic or clean? How to prepare for CCPA
The CCPA is only a few months away from coming into effect. But businesses are not prepared. Currently, petabytes of consumer data rest in businesses’ data science and analytics environments. In many cases, this data is being used for purposes beyond that for which it was initially collected.
All of this data is governed by the incoming CPPA, which will make it challenging for enterprises to derive consumer-insights and expensive to function. What’s worse, if your business makes a misstep, you will be at risk for class action lawsuits and reputational damage. As a result, most of the data sitting in data lakes and warehouses should be considered highly toxic for CCPA compliance.
Toxic data will harm your business:
The CCPA defines disclosure obligations and information governance. It will require most companies to overhaul their data systems to improve data discovery and access to information. While taking leaps forward for consumer privacy, the CCPA places a weighty burden on data-driven businesses. Not only does it require them to justify and disclose each and every purpose of consumer data, but it prohibits the use of data for secondary purposes without giving consumers the opportunity to opt-out and request data to be deleted.
Under the CCPA, each violation will bring (a) civil penalties of $2,500 if unintentional or (b) $7,500 after notice and a 30-day opportunity to rectify the problem has been provided. In addition, consumer lawsuits can result in statutory damages of up to $750 per consumer per incident. This means that in the CCPA era, a business with 10,000 customers is open to $7,500,000 in lawsuits. This genuine possibility could severely harm the bottom line.
Due to the cost of error, in the CCPA era, personal data, especially that which has been used for additional purposes, should be considered toxic data. This is because it carries significant business, operational, security, and compliance overheads. The good news is there is a way to clean the data and take it out of scope for the CCPA governance. The solution is to defensibly deidentify data.
Cleaning consumer data:
Under CCPA, consumer data used for additional purposes such as data science and analytics that has been correctly deidentified can be considered out of scope for CCPA compliance. To prepare for the CCPA, businesses should prioritize taking data from in-scope to out-of-scope through an automated and defensible deidentification system that can be implemented at an enterprise-level and architectural point of control.
Under the CCPA, defensively deidentified personal data will not be subject to CCPA regulations. This clean data:
- Is not governed by IT and security controls;
- Does not need to follow segregation of duties;
- Is not party to breach notification protocols;
- Is not required in verifiable consumer requests;
- Can be used for any purposes without notifying consumers and offering the opportunity to opt-out;
- Does not give the consumer the option to opt-out or request their data is deleted.
The implications of using identifiable personal information, or toxic data, will cost businesses millions to maintain every year. When an automated defensible deidentification strategy is just a click away, there is no excuse not to act.
Businesses essentially have two choices: (a) retain toxic data and spend millions ensuring CCPA-compliance, or (b) deidentify their data using privacy automation to take it out-of-scope for CCPA. One option will save your brand and bottom-line, the other is a mass of expensive regulatory complications and litigation exposures.
Join our newletter