The California Consumer Privacy Act, which came into effect on Jan. 1, 2020, requires businesses categorize personal information so it can be easily found and communicated in response to customer data use requests.
While it is not as strict as the EU's GDPR, both are based on the same principles of data visibility, transparency and accountability. And, though CCPA only applies to entities that do business in the state of California or collect data on Californians, it's unlikely there are many businesses not affected by this new legislation. Moreover, additional privacy legislation is likely to be passed in the coming months and years; it would be prudent for organizations to revisit their data discovery processes now to stay ahead of the curve.
CCPA: Redefining personal information and its collection
The CCPA's definition of personal information goes well beyond data that can be obviously associated with an identity, such as name, date of birth or Social Security number -- data collectively known as personally identifiable information. CCPA encompasses data that identifies, relates to, describes, is capable of being associated with or could reasonably be directly or indirectly linked with a consumer or household. This could include indirect information, such as product preference or geolocation data. CCPA legislation also requires organizations justify why they collect personal information and how they use it.
Creating such a broad range of personal information elements that are subject to CCPA privacy oversight has a major effect on how organizations collect and process consumers' data. Data discovery, particularly of indirect information, becomes a key compliance task. The need to protect data subject rights at scale requires a different approach to discovering and correlating data from the traditional application-only, IT-oriented start point. It will require most organizations to rethink their data discovery and inventorying processes in order to get personal data sprawl under control. This will help companies have an accurate picture of whose data they have, where it resides and how it is being used. Although CCPA doesn't explicitly require a personal information process inventory, GDPR does, and it's a sustainable and practical approach to achieving accountability and maintenance.