Out of the Grace Period: Trust and Communication Rises in a Post-CCPA World

Six months ago, the California Consumer Privacy Act (CCPA) was put into effect, granting California residents increased rights over how their personal data is gathered and shared by the companies they interact with. Leading up to its launch, organizations expressed concern over whether they were fully compliant with the incoming regulation, and if they weren’t, how they could act quickly to avoid compliance failures.

July 1 was the end of the CCPA six-month grace period — time that companies were given to come into compliance with the new regulation. Now all offenses will be taken into account and can potentially result in lawsuits, and fines costing thousands of dollars per violation.

What have companies accomplished during this grace period? Recent survey data from Akamai found that trust and communication amongst businesses and consumers has increased by almost 60% as a result of privacy regulations, highlighting a unique connection between customer engagement and trust that concerned most businesses in a pre-CCPA world.

7.21, CCPABlog1.png

The survey takes a close look at the current state of data privacy post-CCPA. It examines the corporate point of view when it comes to compliance, third-party relationships, customer engagement, and trust. Here are a few initial takeaways:

It’s all about the customer: boosting engagement and gaining trust

CCPA requires businesses to disclose the personal data they collect or release about a consumer for business operational use. These companies must also inform consumers how their data is being collected, as well as the purpose for which it is being used. Simply put, with CCPA, consumers now have a level of rights over their personal information that they did not have before.

As a direct result, the relationship between customer and business has strengthened over the previous six months. The survey found that almost 50% of organizations are reevaluating their third-party vendor relationships to enhance customer trust as a result of CCPA.

There still is work to do as we cross over the grace period threshold. Only about half (52%) of organizations have given customers access to their data to enhance trust around CCPA regulations. In order to fully comply, businesses need to take action now to provide the required access.

Other findings of note

Who owns compliance for privacy regulations? There is often an overlap between the Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Information Security Officer (CISO), Chief Legal Officer (CLO), and — for companies that have them — Chief Customer Officer (CCO, sometimes known as Chief User Experience [UX] Officer), Chief Privacy Officer (CPO), and Chief Marketing Officer (CMO).

7.21, CCPABlog2.png

 While it is important to have an executive sponsor for privacy (like cybersecurity), it is a team sport. All of these leaders must collaborate to ensure there is a fully functional program. The CIO and CTO were almost tied as the most common owner, but CLO was also represented. For companies that have a CCO or CPO, they were more likely to be in charge of the program.

Another fascinating discovery was about whether or not organizations had automated how they handle compliance with each of the aspects of the CCPA. As you can see below, there is a spectrum of maturity for six major functions. As the number of customer engagements increase, it will become important to automate.

7.21, CCPABlog3.png

Let’s take a look at what privacy requests companies are seeing. While the spread between requests is not large, customers requesting access to their personal information or having it deleted are the leaders at 54%. Tied right behind are opting out and showing what types of data are collected. All of these can be difficult if the data is stored in multiple databases and on third-party systems. These trends will be important to determine which processes need to be automated first.

7.21, CCPABlog4.pngThe final area we want to talk about: challenges that companies are experiencing as they develop compliant CCPA programs. The first issue is understanding what the program must accomplish. Companies need to map the requirements across local, state, and international laws. The next challenge is how to operationalize the compliance program. With many different data owners using separate systems, it can be difficult to automate the process. Forrester is now tracking customer identity and access management (CIAM) solutions that will register, profile, authenticate, and provide customers with the ability to self-service the management of their data. Last but not least, we need more education about CCPA to build a culture of protecting customers’ privacy.

7.21, CCPABlog5.png

What’s Next?

With the second half of 2020 and CCPA enforcement upon us, it is now as crucial as ever for businesses to validate their compliance programs. The data did find that businesses are generally ready for CCPA’s “official arrival,” with 90% feeling prepared now that the grace period has officially ended, but many of the processes are manual.

There is not a clear path ahead for privacy legislation. There will continue to be pushes for updated legislation until customers and the companies they use reach a balance on how to treat data. Ultimately, technology is not the solution — privacy requires business practices that treat customers in a way they feel is fair and ethical. 

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Steve Winterfeld. Read the original post at:

Avatar photo

Steve Winterfeld

Steve Winterfeld is Akamai’s Advisory CISO. He has strong background in building operational security programs that are compliant with industry regulations. Before joining the team, he served as CISO for Nordstrom Bank, Managing Director of Incident Response and Threat Intelligence at Charles Schwab and Senior Technical Director Cybersecurity & Group CTO at Northrop Grumman. Steve focuses on collaborating with Akamai’s customers to make sure they are successful in defending themselves and their customers. He also helps determine where Akamai should be focusing its security platform’s capabilities. Steve has published a book on Cyber Warfare and holds CISSP, ITIL and PMP certifications.

steve-winterfeld has 11 posts and counting.See all posts by steve-winterfeld