The Dominoes Continue: A Growth-Focused Business Leader Anticipates What’s Next After the California Consumer Privacy Act of 2018

Please, anything but regulations. John wished the “figure it out” part of his brain could be focused on more energizing stuff like:

  • Commercializing new products and services
  • Strategies to increase their share of customer wallet
  • Customer-specific sales strategies
  • Options to add value and differentiate from competition
  • Or really just about any topic other than anticipating how his external market reality will change due to information privacy regulations

The privacy dominoes have been falling, and now the question is “what’s next?” As a revenue-side executive in a SME (small and medium-sized enterprise), John Horace is focused on business results and increasing the valuation of the enterprise. He knows he can impact valuation by improving the business results and specifically increasing cash flow, but also by reducing risk. In many ways, the California Consumer Privacy Act (CCPA) and other recent consumer privacy and cybersecurity developments represent risks to the enterprise if not handled effectively. There are plenty of examples, such as Yahoo, Equifax, Target, TJX, Uber, Home Depot and Facebook, of companies that mishandled personal information and lost significant market valuation. John does not want his firm to join this list. His recent executive team meeting on the recently passed CCPA was productive. They avoided getting too deep on the details and stayed focused on the “So What” of the law. The effective date of 1/1/2020 is now fewer than 500 days away, so they don’t have much time to identify, plan, implement and effectively execute on significant change in the way they do business. The discussion topics for the executive team meeting were focused. John has learned from his business performance coach to frame questions to stimulate productive discussion rather than leading with statements. His three questions for the recently held executive meeting were focused on the impacts of the regulation, rather than the regulation itself:

  1. Based on what we have observed from competitors, and potential competitors in response to the European Union’s General Data Protection Regulation (GDPR) and other info privacy and security dominoes that have fallen, in what ways do we expect the competitive environment to change over the next 500 days leading into 1/1/2020 and beyond?
  2. In what ways do we anticipate our user and consumer expectations to change as a result of the changes in the regulatory and privacy environment, and the resulting changes made by companies in response?
  3. In what ways do we anticipate our suppliers and vendor partners will be affected by the CCPA and any other external event, and how will that impact our product line, our service and support, and how we operate? What gaps or exposure should we plan for?

The discussion was lively, but only an initial step. The team will revisit these three questions many times over the next 500 days. Specific action items were noted and assigned to the responsible executive with completion dates for follow-up. John has one action item, but it is a biggie – basically, given CCPA and the 1/1/2020 effective date, what do we anticipate are the next information privacy dominoes likely to fall as a result? As he begins to define the task John makes some notes on his jotter:

  • The CCPA will apply only to California consumers, but the complexity of handling personal data by state will likely drive most firms to design for the most demanding condition, and in this case, it is California. Observation of the actions of major global companies in response to the GDPR reinforces this conclusion.
  • There is a recent track record of California leading the way on regulation, and other states or even the federal lawmakers or agencies following by adopting similar laws, with email spam as an example.
  • The CCPA could add pressure to pursue a national regulation, especially after the GDPR went into effect in late May and increased awareness that there is no comprehensive federal information privacy regulation in the U.S.
  • The global criticism of the U.S. sector-based privacy approach – regulations by industry sector such as health care, financial services, and education – increased significantly in reaction to the Facebook missteps.
  • Recent articles in the Washington Post reported the White House holding numerous meetings with interested parties on all sides of the issue to gather input on what a national regulation may look like. Three objectives were identified:
    • Avoid a situation where various states follow California with their own laws creating a complex business environment
    • Interest in being less aggressive than the GDPR by recognizing the benefits of data
    • Desire for a law the preempts state law, meaning the federal law takes priority over state law

As John looked at this list he was reminded of the efforts of the Obama administration to get out ahead of the information privacy challenge with the Consumer Privacy Bill of Rights in 2012. In retrospect this would have been extremely helpful, but the timing was simply off. Given the way the dominoes have been falling, especially with the GDPR and CCPA making a huge impact in 2018, and of course the Facebook missteps, the external reality is very different now. He needs to think through the impact of the upcoming mid-term elections and the unpredictability of the executive branch on the ability of Congress to prioritize and pass a national information privacy regulation, but it appears the incentive and downside risk of not acting may actually combine to make something happen. John is suddenly excited to discuss his action item with the executive team, and as usual he will do it in the form of a series of questions;

  1. Based on what we can observe in reaction to GDPR and now CCPA, how should we “connect the dots” to help our business anticipate the next dominoes to fall?
  2. Based on the outcome of our connect the dots work, in what ways will our business be impacted? Clients. Suppliers. Competition. Product. User Experience. And much more.
  3. Based on how we think our business will be impacted based on what we know now, what actions should we take immediately to position ourselves to make fact-based decisions about an uncertain future event?

John knows this discussion could go off the rails quickly given the uncertainty involved, so his facilitation skills will need to be on point. The goal is to get the team looking “outside-in” to gather more “dots” that can be connected, or disregarded, later. Just the external facts at this point. The team knows the outside-in drill for the fun stuff like competitive analysis, product positioning & strategy, and distribution channel strategy, but this regulatory stuff requires some new thinking and some new resources. Time to raise our game. Action Steps:

  1. Expand the “outside-in” thinking in your firm to begin collecting more “dots” to connect later.
  2. Identify new resources to monitor and access to ensure you are positioned to be proactive, rather than reactive, in the coming 500 days.
  3. If deep expertise on the information privacy is needed please engage your regulatory and compliance teams, with specialists such as #TrustArc and Daniel Solove’s #TeachPrivacy as additional resources.
  4. For more information or to start a discussion please visit my website at

Note: this is the second of a series of short business vignettes posing questions to consider regarding factors in the external environment that may affect a business. I am simply an independent business owner and business performance geek that is very curious about the intersection of regulations, risks, competition, clients and other external realities affect revenue and growth initiatives. I am trying to have some fun with it along the way. David J. Dillon, MBA Certified Business Performance Coach Certified Information Privacy Technologist (CIPT) Certified Information Privacy Professional (CIPP/US) Licensed Property & Casualty Insurance Agent

Leave a Reply