AB-375 California Consumer Privacy Act (CCPA)¹ went into effect January 1, 2020, generating a lot of conversation with consumers and businesses. At the heart of the CCPA and similar regulations is the need to protect sensitive information. The only way to adequately protect data is with clear knowledge of all the data a business touches. The upside is that the effort required to map out the flow of data can have long-term benefits to a company if approached correctly.
There are three main ways that we can tackle privacy: Privacy as a Requirement, Privacy as an Experience, and Privacy as an Accelerator. Here’s what we mean by each one.
PRIVACY AS A REQUIREMENT
The CCPA is merely the latest in a long list of regulations that companies must comply with, and it most certainly will not be the last. Most of us are familiar with HIPAA, PCI, and GDPR by now, but the landscape continues to evolve with new laws coming such as New York’s SHIELD Act² or existing requirements getting enhanced like with proposed changes to the National Automated Clearing House Association’s (NACHA) Operating Rules³.
Compliance with the ever-expanding network of rules and regulations can be a challenge for most companies and one that understandably is viewed as either a burden or cost center. The primary focus and motivation during implementation efforts is to either avoid penalties or protect current investments. Generally, this task ends up being one more to-do on an already overloaded employee’s day.
The most common method of compliance is focused on meeting the minimum requirement to satisfy an audit. We have all seen the dense, legalese agreements that are constantly bombarding us as we browse the web. A recent publication from Pew Research indicates that more than 50 percent of Americans are asked to agree to privacy policies on a weekly basis⁴. Shockingly, only thirteen percent of Americans understand most of what these policies are saying. Fifty-five percent only understand some while thirty-two percent understand very little or none of what is being asked or presented to them⁵. It should come as no surprise then that these policies are rarely read⁶, and even then, are only partially read through and truly understood⁷.
This all works together to create a rather forgettable experience for the consumer while leaving the company in an arguably worse position than it started as it only incurred costs in the effort to comply with new privacy demands while obtaining little tangible benefit. This also misses an exciting opportunity to engage with consumers.
PRIVACY AS AN EXPERIENCE
Consumers are increasingly concerned about the security of their data⁸, as well as with how that data is used by companies⁹; both are central concerns of privacy legislation like the CCPA. The traditional approach of Privacy as a Requirement is insufficient to address these concerns but taking a customer centric approach would have a noticeable impact.
Merely satisfying the letter of the law misses an important opportunity with our customer. By seeing things through the eyes of the consumer, by truly getting in touch with their motivations, we come to the understanding that there is a lot more to this conversation with the customer. We have an opportunity to build trust in our brand, a chance to shift ourselves out of the homogenous glut of monolith enterprises that dictate terms to faceless masses.
We have the ability to empathize with the customer and tell them with our service and products that we understand their concerns around privacy. We want to work with them in protecting their data, in being good stewards of the information that they have entrusted to us.
Great businesses are able to energize their customers this way. It becomes a key differentiator in a crowded market. When there is surprise and delight for the end user, especially coming from something normally seen as boring, it can leave a lasting impression on a customer.
As compelling as a consumer-centric implementation may be, however, there is one more approach to privacy, and this one can supercharge your business: Privacy as an Accelerator.
PRIVACY AS AN ACCELERATOR
To understand how privacy can accelerate our business, we first need to understand the nature of data debt. Data debt is related to technical debt but deals exclusively with information. Data debt contributes to waste in our organization as we struggle with things like stale data, incomplete data, and forgotten data.
Stale data can lead us to take the wrong action based on what we thought was good analysis. Incomplete data can render us unable to take action when we want to. Forgotten data is probably the most troublesome as it exposes us to risks that we are not even aware we are taking.
A quick way to think about data debt is to imagine a garage that is popping at the seams with junk. The garage door is unable to close and there is a bicycle tire sticking out the crack. Our lawnmower is giving us problems and we want to get to our tools to work on it, but they are buried under years of neglect.
Contrast this with an organized garage: the floor is spotless; everything is in the proper place and easily identified. Now it only takes you a second to find what you need to coax the mower back to life. It took some work to get the garage into this state, and it takes effort to keep it that way, but the long-term benefits in productivity are easily worth the investment.
In the same way, we want to pay off our data debt by organizing our data. Taking the time to audit and catalogue our data will help us uncover things like stale data, incomplete data, forgotten data, and more.
The acceleration factor is when you start using the catalogue. Development teams are able to quickly identify sources of data they need and share with other teams such as marketing, leading to reduction of wasted efforts. It aids in system architecture as you are more easily able to identify contexts and domains for your applications.
Perhaps the biggest win is “speed to compliance,” or the ease of being able to satisfy legal obligations. CCPA section 1798.130(a)(2), for example, gives a business 45 days to respond to a consumer’s request for information. The Privacy as an Accelerator mindset put you in a position where that information is easily accessible. Or consider CCPA sections 1798.130(a)(6) and 1798.135(a)(3) which require the business to ensure individuals interacting with consumers are fully aware of the legal requirements and are able to assist the customer with their request. Add a little Privacy as an Experience to that customer interaction and you are looking at a new Net Promoter®¹¹.
Another consideration is how we utilize data when we architect our applications. Domain Driven Design¹² is a popular methodology that advocates separating the concerns, or domains, of your applications. By adhering to this design philosophy, you can untangle some of the data spaghetti that is commonly found in enterprise systems everywhere.
Identity, for example, could be broken down into “Person”, “User”, and “Profile”. The Person domain would contain all the sensitive information: name, social security, birthday, and other PII. The User domain would handle things like permissions, activity logs, and credentials: everything needed for someone to interact with a system. The Profile domain would be the public presentation of that user to the world including things like the avatar, alias, and biography.
It is worth examining the User domain a bit more here as it will help us better understand the advantages of Privacy as an Accelerator. While there is usually debate over what constitutes PII, a more useful way to think of it would be in terms of the future requirements. PII definitions are changing and the direction is usually to include more and more under the protection umbrella.
When thinking about an application, think about what it really needs for a user to interact with it. A typical application does not need to know anything about who the user is, it only needs to work on the concept of a user. As far as the program’s algorithms are concerned, a random string is just as good as a person’s name. While we might want to display the user’s real name during the normal course of operation, if we have separated the concerns of Person and User in the system, we will be in a position to easily remove a consumer’s personal information without compromising the functionality of our application. Then we would be left with a user entity that we can still interact with in our system, but it can no longer be tied back to a real consumer.
Speed to compliance and separation of concerns also translate to business agility by future-proofing us against regulatory change. Rather than the next regulation taking up valuable time and resources to tackle, you will be in a proactive position to adapt to the changing landscape. There will undoubtedly be changes that still have to be made, but the effort will be considerably less than if we were still wallowing in data debt.
A thorough map of data with your data catalogue, well-structured applications that each have their own domain, engaged teams that are trained on their responsibilities and the tools provided by the company: each of these are examples of practices that serve to accelerate your company’s ability to adapt to change.
WHAT THIS CAN MEAN FOR YOUR BRAND
CCPA represents an attempt by California to respond to the rapidly evolving challenges consumers face in an increasingly connected world. There are already several other proposals on the horizon and consumer sentiment is in favor of more government intervention¹³ in the name of protecting the individual’s right to privacy.
By moving past the traditional approach of Privacy as a Requirement and into the future of Privacy as an Experience and Privacy as an Accelerator, we can position ourselves to take advantage of both positive customer sentiment as well as newfound business agility through paying off data debt.
Net Promoter, Net Promoter Score, and NPS are trademarks of Satmetrix Systems, Inc., Bain & Company, Inc., and Fred Reichheld.
Citations: “AB-375 California Consumer Privacy Act”, California Legislative Information, accessed April 20, 2020 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 : “New York SHIELD Act”, The New York State Senate, accessed April 20, 2020 https://www.nysenate.gov/legislation/bills/2019/s5575 : “Supplementing data security requirements”, NACHA, accessed April 20, 2020 https://www.nacha.org/rules/supplementing-data-security-requirements : “A majority of Americans are asked to agree to privacy policies at least monthly, including a quarter who say this happens daily”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020 https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-01-2/ : “About two-thirds of U.S. adults who read privacy policies say they understand at least some of them”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020 https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-04/ : “About one-in-five Americans say they always or often read privacy policies before agreeing to them”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020 https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-02-2/ : “Only a minority of Americans who read privacy policies say they read them all the way through”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020 https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-03/ : “Seven-in-ten Americans say their personal information is less secure than it was five years ago”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020 https://www.pewresearch.org/internet/2019/11/15/how-americans-think-about-privacy-and-the-vulnerability-of-their-personal-data/pi_2019-11-15_privacy_1-03/ : “Most Americans are not confident that companies would publicly admit to misusing consumers’ data”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020 https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-05/ : “User experience design”, Wikipedia, accessed April 20, 2020 https://en.wikipedia.org/wiki/User_experience_design : “Net Promoter”, Wikipedia, accessed April 20, 2020 https://en.wikipedia.org/wiki/Net_Promoter : “What is Domain-Driven Design?”, DDD Community, accessed April 20, 2020 https://dddcommunity.org/learning-ddd/what_is_ddd/ : “Most Americans think there should be more government regulation of what companies can do with personal data”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020 https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-08/