The cabin door was now closed. This is always his favorite time for deep thinking about the big things on his plate. From now until they reach ten thousand feet and the laptop comes out he needs to make some real progress on the date that has been on his mind for weeks – 1/1/2020.
He was appreciative that his colleague forwarded the #TrustArc webinar link but being on that webinar made it real – the State of California recently passed the California Consumer Privacy Act of 2018, or CCPA, on June 28 in unprecedented pace, and will become the toughest consumer privacy law in the U.S. in just over 500 days. It will provide California consumers broad rights about how their data is collected, used and sold or disclosed, and therefore significantly change the data management practices of companies that serve them. It also significantly broadens the definition of “personal information”. For many companies, this is a real “game-changer”.
The dominoes have been falling for a while – Yahoo, eBay, Equifax, Target, Heartland Payment Systems, TJX, Uber, JP Morgan Chase, Home Depot and even the US Office of Personnel Management are among the headliners. He cringed when he thought of the market valuation, and terminations, that resulted from those events. Then just this year we have a series of events:
- The Cambridge Analytica and Facebook mess
- The embarrassing questions and testimony on Capitol Hill by Mark Zuckerberg
- The European Union implementation of GDPR in late May
- Zuckerberg in front of European regulators
- And now the California Consumer Privacy Act
This is all in addition to all the cyber activity, hacking and threats on the upcoming elections. The pace and stakes in this game of dominoes are both increasing rapidly.
He is a revenue-side executive in a SME – small and medium-sized enterprise, not a compliance or regulatory guy. He has always prided himself for being plugged into the external factors that affect his business, but this California law came on very quickly. Apparently the alternative floated as a November ballot proposal was far tougher so a hard deadline drove the rapid pace. Regardless, his job is to define his new reality and position his business to deal with it. In addition, he wants to look to the future and anticipate the next dominoes likely to fall in response to the CCPA.
They are seventh in line for takeoff, so he has more time than usual before the laptop comes out for the “real” work. He pulled out his jotter and pen. He has pulled the executive team together tomorrow morning and he needs to prepare for a focused discussion.
He has seen the specifics of CCPA, and the comparisons to GDPR. The #TrustArc webinar and Daniel Solove’s #TeachPrivacy were really helpful in laying all that out in plain English. He will rely on his compliance and regulatory resources for all the specifics, but his focus is to anticipate the impact of the regulation, rather than the regulation itself. It will not be helpful to get wrapped around the axle at this point on the details, as much has to be worked out over the coming 500 days, but the big-picture stuff will lead to changes in the external reality facing his business, and he is determined to position the business to succeed in the new reality.
The CCPA is clear on applicability, with a business that receives, directly or indirectly, the personal information from California residents only needing to hit one of the following criteria to fall under the law:
- Businesses with annual revenue of at least $25 million
- An entity that receives the personal information of 50,000 or more California consumers, households or devices.
- Businesses that generate the majority of their annual revenue from selling personal information about California consumers.
Even though his business is not “applicable” now they should be at some point. But the more he thinks about it, he realizes it probably doesn’t really matter. Even if they are never applicable under the CCPA, the external reality for his business is going to change because of the regulation, so they better anticipate and adjust.
He thinks that CCPA will be much more impactful than GDPR because the significance the California market will require many more companies to make changes to comply or face increased risk. This will change the game for his clients, potential clients and ultimately consumers. Even if the CCPA is not directly applicable to his business, yet, the impact of the law will change his external reality in major ways.
He starts making some notes on his jotter:
- Internal – UX impacts, workflow changes, software changes, testing, audits, friction costs, new processes to manage, compliance, etc.
- Competitive Environment
- Clients and Consumers
- Supplier and Vendor Partners
- Ecosystem Changes
- Other Regulatory Changes
They were now finally in flight so his “deep thinking” time was short, and he needed to focus on specific questions for his executive team meeting tomorrow. He learned from his #FocalPoint business performance coach to use a series of questions, rather than statements, to drive team discussions, and tomorrow will be no exception. To maintain a crisp discussion, he typically covers only two or three impact items and goes deep, but with a timebox. From the bullets in his notes above he circled three – competitive environment, clients and consumers and supplier and vendor partners, and started to frame up some questions:
- Based on what we have observed from competitors, and potential competitors in response to GDPR and the other info privacy and security dominoes that have fallen, in what ways do we expect the competitive environment to change over the next 500 days leading into 1/1/2020 and beyond?
- In what ways do we anticipate our user and consumer expectations to change as a result of the changes in the regulatory and privacy environment, and the resulting changes made by companies in response?
- In what ways do we anticipate our suppliers and vendor partners will be affected by the CCPA and any other external event, and how will that impact our product line, our service and support, and how we operate? What gaps or exposure should we plan for?
There is much more they need to get on the table and collaborate on, but his track record is pretty poor when it comes to trying to tackle too much at one meeting. Besides, they will need to think and discuss these three questions many more times as 1/1/2020 approaches. We need progress, not perfection.
The two-ding signal indicates they are at “laptop altitude” so he needs to shift gears, but he plants a seed for his subconscious mind with “what else should I be thinking about on this topic?”
- Begin the discussion inside your firm – in what ways will your external reality change due to the information privacy dominoes in the 500 days leading up to 1/1/2020?
- If deep expertise on the California Consumer Privacy Act is needed please engage your regulatory and compliance teams, with specialists such as #TrustArc and Daniel Solove’s #TeachPrivacy as resources.
- For discussion in anticipation of the business impact of the CCPA please contact me at firstname.lastname@example.org or on my secure website at https://daviddillon.focalpointcoaching.com/
Note: this is one of a series of short articles posing questions to consider about factors in the external environment that may affect a business. I am not an attorney, just a small business owner and business performance geek that is very curious about the intersection of regulations, risks, competition, clients and other external realities affect revenue and growth initiatives.
David J. Dillon, MBA
Certified Business Performance Coach
Certified Information Privacy Technologist (CIPT)
Certified Information Privacy Professional (CIPP/US)
Licensed Property & Casualty Insurance Agent