Privacy and Prosperity - Is your business ready for CCPA?

If you have not heard about Alastair Mactaggart's story yet it's more than inspiring. His solo initiative to protect privacy for all of Californians is a truly remarkable one and led to the landmark legislation called California Consumer Privacy Act. Watch the video of how the bold and courageous act of a regular citizen can influence both parties to work together for the benefit of the people. If you are not convinced about why consumer privacy is core to our freedom and prosperity, take a look at this patent and you will think twice, where and when to place these listening devices into your home.

If CCPA is good for consumers and their rights, it has to be good for businesses too. After all, businesses are made by us. Almost half a million businesses will have to deal with this regulation and it's an opportunity for them to use the technology and win the hearts and minds of their consumers. Here are the important facts about CCPA that every business need to know:

• On June 28, 2018, the California Legislature unanimously passed, and Governor Jerry Brown signed into law, Assembly Bill 375, now known as the CCPA
• CCPA is Going into effect January 1, 2020, and set to be the toughest privacy law in the United States by broadly expanding the rights of consumers and requiring businesses within scope to be significantly more transparent about how they collect, use, and disclose personal information 

Consumers have specific rights outlined as below:

• Access: Individuals may request disclosure of the specific data elements of personal information collected about them, categories of personal information collected, categories of sources, purposes for collecting or selling, and categories of recipients with whom the personal information has been shared 
• Data Portability: If the specific data elements of personal information are provided to the requestor electronically, to the extent technically feasible, they must be provided in a readily transferable electronic format 
• Deletion: Individuals may request to have their personal information deleted 
• Disclosures about Sharing/Sale: Individuals may request an accounting of the disclosures, including sale, of personal information made to third parties; this significantly expands upon the existing California “Shine the Light” law 
• Opt Out: Individuals may object to the sale of personal information about them 
• Opt In: Minors or their guardian must affirmatively authorize the sale of the minor’s personal information 

Every impacted business has to comply with the following transparency rules:

• The online privacy policy or other web-based notice must disclose the categories of data collected, sources from which data is collected, purposes for which the data is used, categories of third parties with whom data is shared, information about individual rights and how to exercise them, as well as the data collected, sold, or disclosed within the prior 12 months.
• Policies in scope of CCPA will need to be updated annually
• Where applicable, a clear and conspicuous link titled “Do Not Sell My Personal Information” must be included on the business’s homepage and must link to a form where requests can be submitted 
• Clear notice of any financial incentives offered 

What can businesses do to comply?

We at IBM have a long history of helping our enterprise clients deal with variety of regulations in different industry and geography. Our Data Ops platform called IBM Cloud Private for Data helps clients through their AI journey using governed data lake allowing business users to discover IT and business assets for any impact and ultimately helping them with regulatory compliance. We have extended our governed catalog and mastered metadata approach with a new service called Regulatory Accelerator in our platform. My team built this 100% AI powered tool with cutting edge NLP technology and machine learning models that comes pre trained with our industry accelerators and also learns from user's expert actions. Security and privacy is core for this offering, so your business glossary and metadata all stays within your private cloud in your own data center.

Here is a 5 step framework that this tool supports:

1. Determine whether the CCPA applies to any part of the business, and whether the requirements related to key aspects of CCPA
2. Determine which CCPA individual rights apply to each business process or activity
3. Determine which business processes and activities are in scope for CCPA and which involve minors
4. Prepare data maps relevant to the collection, sale, and disclosure of personal information
5. Understand the overall impact in terms of data assets and take further action

Our solution uses NLP technology to extract key terms, policies and controls from a regulatory document such as CCPA, see full text here. These terms become part of a well formed taxonomy which are presented as a workflow to users collaborating on a Regulation project. As a business user brings their own glossary of terms and metadata assets that they need to explore and discover, a machine learning service gets into action and presents users set of candidate terms that matches with regulatory terms. This process continues until users finish mapping their data assets in a collaborative manner. The tool prepares and saves a taxonomy of all related assets and provides compliance officer a view of the work in progress. The final taxonomy of related assets can also be pushed to the enterprise wide catalog which then becomes part of knowledge center across your data ops platform.

If you work for Telecom, Banking, Finance or retail industry and impacted by CCPA or GDPR, I invite you to try Infosphere Regulatory Accelerator tool for 30 days and get ahead with making your business comply. If you are attending IBM Think conference starting tomorrow, please come and attend my talk on Cognitive Data Governance and Regulatory Compliance on Thursday.