First, it is now well understood that the CCPA* mandates strict requirements for companies to notify users about how their data will be used, along with giving customers the ability to “Opt Out” and request that their data be deleted, mirroring some of the primary aspects of the EU GDPR legislation known as the ‘right to be forgotten.’
I was reading a recent article from ThreatPost, entitled: “California’s Tough New Privacy Law and its Biggest Challenges,” and I realized that this article brought up something that I was thinking about even before the California Consumer Privacy Act (CCPA) was enacted at the beginning of this year (2020).
*CCPA applies to companies that are storing 50,000+ records worth of consumer data.
The interesting part is that companies may have quite a hard time keeping track of the actual stored location of the user data that they initially collected.
The example cited in the article is in the difficulties posed in tracking data that has been collected, then placed in a database, or even given to a third-party to carry out a marketing campaign. It may be a marketing database or just a one-month long program that gave some kind of special promotion to encourage people to register, and once the campaign is over it’s hard to find the data, especially the older it is.
There are likely to be many such examples where consumer data does not typically carry sophisticated tracking to the point where it will be difficult to prove compliance when the legislation demands it. Businesses will be expected to show:
1. How consumer data is going to be used
2. How consumer data is going to be protected while being used
3. How consumer data will be deleted
4. Proof of all the above
Ultimately, how well a company tracks the data it collects, along with the associated processes and procedures to prove that these activities are being performed, will dictate their success or failure in complying with the CCPA.