The US’s California Consumer Privacy Act (CCPA), effective since the beginning of 2020, has brought much comparison to Europe’s General Data Protection Regulation (GDPR), effective since May 2018.

Both regulations set limitations on how companies deal with customer data, giving customers greater privacy and control over how their data is used. Owing to the similarities between these regulations, US companies have been, and still are, looking to Europe for lessons learned from navigating GDPR compliance to help with their own CCPA compliance initiatives.

As an identity management software vendor with customers throughout Europe, Ubisecure has been at the forefront of several projects enabling GDPR compliance – working with organisations on systems security and giving consumers greater control over their own data, often within complex IT environments. From this perspective, here are a few lessons that we’ve learnt along the way to help you with your own CCPA compliance projects.

Start ASAP and continue evaluating your CCPA compliance

The IAPP-EY Annual Governance Report 2018, released seven months after the GDPR came into effect, reported that “fewer than 50% of survey respondents report they are “fully compliant” with the GDPR”. At a similar timeframe, six months into CCPA, one survey reported that just 14% of respondents were fully CCPA compliant. So, if you’re reading this blog because you’re panicking about not being CCPA compliant, you’re not alone.

However, you should start your compliance project now. As of 1st July, CCPA is enforced and you can be fined for not complying. At time of writing this in late July, there have been no (public) CCPA fines, but you can bet they will start soon if GDPR is anything to go by. Fines were similarly slow to appear immediately after GDPR enforcement, though are now a regular occurrence with the largest fine to date going to British Airways at $229 million. (Update Oct 2020: given the current economic struggles of the aviation sector amid other considerations, the UK’s Information Commissioner’s Office decided to reduce this fine to $25.8 million – still a significant penalty and bringing another round of media speculation.)

But what about organisations that are CCPA compliant? Well, aspects of both regulations and how they work in practice may not be felt until they are in full swing, meaning that companies may feel they are compliant now but will need to continuously adapt to stay that way. You’re never really “done” with GDPR or CCPA compliance…

Keep coming back to CCPA compliance

On that note, it’s important to keep talking about CCPA. It has become second nature to us to talk about GDPR with every new IT or marketing venture, both for our clients and for ourselves. CCPA compliance must also be a key condition for every new solution.

Further, while CCPA may be permanently on your radar, it may be easier for your colleagues outside of the obviously ‘relevant’ departments (IT security, marketing etc.) to forget new procedures and keeping the conversation going will be a good reminder for them not to slip up.

And it’s not just businesses for whom CCPA will be front of mind – consumers are getting more and more knowledgeable about their rights and will (often publicly) criticise/stay loyal to brands based on how they deal with data and privacy. This is particularly the case since COVID-19 contact tracing procedures have attracted attention globally, with their privacy implications under scrutiny. So it’s in your interest as an organisation to remain CCPA compliant, not just to avoid fines but to stay competitive as well.

Think of the positives

If CCPA compliance feels like a massive chore and something you’re doing just to avoid a non-compliance fine, try to think of it as the perfect time to review your IT architecture and implement data best practices.

Lots of organisations that we’ve spoken to found that the GDPR was an excellent excuse to review data silos and update their IT systems. Both CCPA and GDPR are positive steps to be able to maintain trust in digital business and really just formalise best privacy practices that we should all be following anyway.

Further, the steps you take to CCPA compliance will likely end up creating far more efficient operations in the process, creating a better user experience and avoiding the risk of a data breach – it’s really a win all round. The threat of a non-compliance fine is just another point to get buy in from your CFO!

Customer Identity and Access Management (CIAM) is key

Just before GDPR came into effect, we conducted a survey amongst enterprises which showed that 50% of participants said achieving GDPR compliance without CIAM would be “impossible”. And the same applies to CCPA – CIAM, data privacy and data protection go hand in hand. CIAM verifies an individual’s claim of identity and determines what access the individual should have to areas of online services, and covers a wide range of capabilities that directly support data security and privacy by design.

A few examples of those capabilities:

  • Consent management – allow users to manage their own consent related to their data and increase transparency around their current settings.
  • Self-service account management – enable users to set their own privacy settings and communication preferences, plus any other account settings relevant to your service.
  • Directory/integrating identities from your online service with your CRM – create a single, centralised view of the customer, making it much easier to automatically (or manually) show the customer everything you know about them if they ask, and delete that data if they request to be forgotten.

Conclusions

More than two years since the GDPR came into effect, it is still a hot topic in the identity industry and we’re likely to see CCPA follow the same pattern. It’s not just hype – it’s here to stay. And remember, if you’ve tackled compliance to GDPR, it doesn’t necessarily mean that you’re compliant to CCPA. There are plenty of differences between the two regulations – a topic for another blog post!

Ubisecure has been providing CIAM since 2002 and has a wealth of experience helping our customers to achieve their compliance goals. Our CIAM solutions can be deployed as IDaaS (SaaS-delivered IAM), private cloud or on-premises, to suit your business needs and get you CCPA compliant ASAP. Let us know if we can help.