Does California’s Consumer Privacy Law Impact Chief Technology Officers More Than Chief Privacy Officers?
Alarmed C-Suite corporate executives in California are still trying to get their heads around California’s Consumer Privacy Act (CCPA). They aren’t bewildered because it’s confusing, but because it’s hard to implement. Since implementation falls within the purview of a “tech issue,” they’ve assigned this messy problem to their chief technology officers (CTOs).
Since Chief Technology Officers ostensibly drive computer innovations, spot emerging automation trends, or handle telecommunication infrastructure within an organization, they have become the new chief privacy officers (CPOs) tasked with figuring out CCPA compliance.
Disruption of Business as Usual
Governor Jerry Brown signed the California Consumer Privacy Act into law on June 28, 2018, and it went into effect on January 1, 2020. This piece of legislation disrupted business as usual for public and private organizations that store private consumer information. Under the Californian Civil Code, section 1798.100, the law would penalize organizations that fail to safeguard consumer information entrusted to their care.
Law-makers argued that since personal information is a valuable asset, individuals, private companies, government agencies, and other entities could misuse this information and create a security risk called a data breach. In fact, a year after the CCPA was signed, legislators found the venerable California Department of Motor Vehicles guilty of a data breach. The DMV had not only exposed the social security numbers of 3,200 drivers to seven government organizations but had been doing it for four years.
Although the damage limit the law sets per person for each violation is $750, the violation penalty in particularly egregious cases could be higher.
Dark Data’s Shadow
Theoretically, the work of complying with a law that oversees how an organization manages consumer privacy issues should fall to the chief privacy officer (CPO), but the task has become too monumental for that corporate officer to manage it anymore because of the emergence of big data.
When data collection was less sophisticated, a privacy professional versed in risk management of personal information regulations could rely on manuals, statistical reports, Excel charts and staff meetings to ensure that an organization conformed to consumer protection laws.
Now the situation is different. Technology has made it easier to collect, store, and distribute all kinds of data, large and small data, qualitative or quantitative data, relevant or peripheral data.
Today, data has undergone a frightening transformation. It has not only exploded in magnitude but now also changes at a faster rate.
In fact, data has morphed into a monster. Technologists now refer to it as dark data, analogous to dark matter in astrophysics. This is information companies collect as part of doing business each day that comes in copious amounts through multiple channels. A business might accumulate data in various ways, from buying information from social media vendors to generate leads, to collecting it from customers making inquiries or buying products, or even from data transfer between merging corporations.
Companies use only a sliver of this data for business analytics, business alliances, product innovation, marketing, or sales. They store away the bulk for compliance purposes. Although dark data offers minimal value, it poses a high risk.
Organizations task chief technology officers rather than chief privacy officer with working out how to comply with California’s Consumer Privacy Act (CCPA) because it is more of a technological issue than simply conforming to new, more stringent rules on consumer privacy protection.
CCPA Compliance Struggles
Organizations in California (or those outside California doing business with Californians) are struggling to comply because of the overwhelming task of corralling their big data.
One panicked response has been to lock down all data stored in all servers. Because this over-reaction blurs the distinction between useful and useless data, it squanders valuable information.
A more measured response has been to test automation tools for managing data privacy. Chief technology officers who favor this approach try to map out stored data to explore, understand, and find meaning in it.
Data management tools can create data element mappings between two distinctly different data models. After software mapping functionality analyzes data and generates data-driven solution sets, a user can select a solution set with a click to explore it. Once a user understands the value of data based on one-click visualization, they can determine its usefulness. Once sifted and sorted, data managers can organize valuable data into thematic maps to tell a story. Suddenly the obscure meaning behind hidden data now makes perfect sense.
While this data mapping approach does not resolve the problem of dark data, it salvages massive amounts of valuable data destined for oblivion.