Do you do business in California? Do you do business with anyone who lives in California? Have you ever heard of this place called “California,” or seen it on a map?
If you answered “yes” to any of these questions and meet certain other criteria (more on this later), you may be subject to a sweeping new data privacy regulation targeted for the first half of 2020: The California Consumer Protection Act, or CCPA.
CCPA in a Nutshell
Although then-Governor Jerry Brown signed CCPA into law in June, 2018, it requires the state’s Attorney General to formulate and publish specific regulations to support the law between January 1-July 2, 2020. So although the law is technically in force, the specifics of its implementation will be a moving target for several more months.
What we know is this: It applies to for-profit entities, regardless of physical location or where they are incorporated, who do one or more of the following:
-Generate annual gross revenue of $25 million
-Annually receive or share personal information on 50,000 or more California residents
-Derive at least half of their revenue by selling California residents’ personal information
What constitutes “personal information?” It’s everything you would normally think of: names, addresses, Social Security numbers, account numbers, and other data that can be linked to an individual. Significantly, the law also includes data that could identify a household, as well as “unique personal identifiers,” such as device MAC addresses, IP addresses, and other online identifiers.
If this all sounds familiar, it is: CCPA is similar in many ways to the European Union’s General Data Protection Regulation (GDPR), and the approaches to compliance are similar as well. Businesses subject to either law need to be able to show that their customers’ data is protected and that no personal information exists outside the protected databases.
In a large organization, this can be a nightmare because many large organizations don’t really know their data landscapes—where the data exists, what it contains, where it came from, or where it goes. Personal information could be lurking anywhere, and you need to find it and protect it before some auditor (or criminal) finds it.
In the past, this would have meant a massive, manual (and incidentally, often error-prone and incomplete) review of all of a company’s data, which is hard enough when you aren’t constantly adding data and data sources. Moreover, without robust metadata management, your data is likely in really poor shape. In real life, it’s akin to finding a needle in a haystack—a haystack that keeps getting more hay (and more needles) dumped on it.
The smoothest way forward in this environment is with automation – automated metadata management to be precise. Automated metadata management, automated data mapping and data lineage relieve your BI team of the tedium of manually searching for and cataloging all of your data. This reduces a potentially months-long process to days or even hours. The insights gained from automated data mapping enable you to confidently characterize your data and make sure all the personal information you collect is appropriately protected.
Even if your company doesn’t do enough business in Europe to worry about GDPR, you may do enough in California to fall under CCPA. Now is the time to get a handle on your data. Once the final regulations are published, compliance will require you to know and understand your data landscape quickly.
Automating your metadata management will turn a huge, tedious, pain-staking compliance project with no end in sight into a manageable one with easily-met deadlines.