Becoming CCPA compliant: from 45 days to 45 seconds

Becoming CCPA compliant: from 45 days to 45 seconds

Set to come into effect on Jan 1 2020, the CCPA is just one of a series of proposed regulations intended to ramp up data protection measures across the U.S. over the coming years – much like Europe with its GDPR. With even more stringent bills expected in New York and Washington State, for instance, organizations need to implement a robust data unification plan now, to future-proof themselves from the data processing challenges that lie ahead.

One of the main challenges facing organizations in their quest for data compliance is how to efficiently handle CCPA requests, which can include access to a customer’s personal data, or deletion of that data. Under the CCPA, companies are required to respond to verifiable consumer requests within 45 days, or face hefty fines.

Using a data unification platform is our approach to help industry-leading companies break through their data silos so that analytics teams can quickly locate the customer data they need to be responsive. So let’s take a closer look at how teams can effectively unify their data as part of their preparations for compliance.

Understand how to manage CCPA requests

There are a number of stages involved in the process of managing CCPA requests, all of which rely on having access to the right data at the right time.

1. First, teams need to manage the influx of inbound data inquiries through various channels, such as web forms, telephone calls, or emails.
2. Then, they need to match the request to any data pertaining to that customer profile, which could be held in any number of silos across the company. Once located, they need to take action on that data as requested by the customer.
3. Finally, they need to report back to the requestor, using plain language, explaining what data they hold and why; and what action they are taking with it.

Ultimately, it’s the responsibility of executive leadership and their analytics teams to ensure their staff can achieve all of this all within 45 days. Rather than conducting a bespoke search within each discrete information system for every CCPA request, leveraging a single query to identify all company systems where a particular user’s data resides can make this process far more efficient. In fact, it can streamline the response time from 45 days to 45 seconds. But how?

Implement a robust data unification strategy

Switchboard has developed and implemented a CCPA request strategy with a well-known publishing and education company, whose marketing team is responsible for the handling of CCPA requests. The team needs a single query that pulls all of a customer’s data together – from disparate locations such as Salesforce, relational databases, or log files – so they can respond to requests as quickly as possible.

The request strategy provides the team with the ability to:

• Identify exactly where customer data is located;
• Provide customers with a summary of the data they hold; and
• Safely delete customer data when requested

Let’s consider an example. A California resident asks the company to delete any PII (Personally Identifiable Information) from its systems or asks to know what data is held on them. The request comes in via a webform, which captures all required information such as first and last name, email address, telephone and address; as well as optional information such as any known IDs associated with their customer profile. Thanks to an automatically-curated, unified data warehouse, when the marketing team receives a CCPA request, it is able to confidently identify and audit all individual personal data across all relevant datasets using a single query.

With the help of Switchboard, the marketing team has ready-to-go queries that can easily scan their unified datasets, i.e. foundational data facilitated into Google BigQuery. Within a matter of seconds, the team receives a report on 1). Which rows contain data relating to that customer, and 2). Exactly where this data is stored within company systems and files.

What we’ve found is that teams can successfully use this real-time CCPA reporting method to verify consumer requests, inform relevant stakeholders, and perform the actions necessary to disclose and deliver information back to the consumer. Meanwhile, customer-facing teams should use it to respond quickly and succinctly to requests. For example: “we are currently holding your home address for billing purposes; 10 Google Analytics cookies that enable us to learn more about your account preferences; and a record of the e-newsletters we’ve sent you as a result of subscribing via our website”.

Future-proof for compliance

By implementing a data unification strategy ahead of the CCPA in January, this customer has been able to build a robust process for CCPA compliance going forward, without a major re-architecture of systems. While every company has different requirements and systems, our approach worked well for our customer’s situation. Under the CCPA, companies must respond within 45 days. But by using a powerful data unification platform – as our client is discovering – teams can now respond within 45 seconds.

Just like the GDPR, the CCPA is paving the way for a more transparent data ecosystem. The more organized and governed your data is, the less painful CCPA-compliance will be.