Last Modified: April 10, 2019
No sooner did May 25, 2018 (GDPR day) come and go than the California legislature passed sweeping privacy legislation known as the California Consumer Privacy Act or CCPA, which comes into force on January 1, 2020 (but may not be enforced until July 1, 2020.) While CCPA applies to personal information about California residents only, as a practical matter it raises the domestic privacy bar across the board. Neustar is not comfortable with giving consumers greater or lesser privacy protections depending on the state they hail from, and we doubt our customers will be either. And, in any case, as the world's 5th largest economy, California has sufficient market share to establish de facto national standards - and that's exactly how we are approaching CCPA compliance.
As we did in connection with GDPR, Neustar sees CCPA as an opportunity to build trust in data-rich ecosystems by empowering consumers to understand and control how and why their personal information is collected, used, and disclosed.
Neustar collects personal information about consumers and is directly subject to CCPA. In addition, as a service provider that manages personal data owned by many consumer-facing businesses, we understand that our customers will look to us to be their compliance partners.
As a result, Neustar launched a CCPA readiness program last year, using our well-developed GDPR infrastructure as the foundation for even more robust mechanisms to govern the broader, deeper, and more complex data sets containing personal information about American consumers. While we hope that regulation will clarify some of the many ambiguities in the California statute, we are proceeding on a schedule for full compliance of the current requirements well in advance of January 1, 2020. In the meanwhile, we are keeping a watchful eye on discussions about privacy legislation in other state capitols as well as Washington, DC.
Our compliance roadmap includes the following steps:
We've identified a core compliance team, consisting of key product, engineering, and compliance stakeholders. They have all received CCPA training and are now finalizing the issue spotting and gap analysis phase.
The core team is developing and managing the compliance roadmap and timeline, including identification of solutions both to ensure Neustar's compliance and to support customer compliance. We are focused on the technology underpinning our service delivery models to build-in CCPA compliance "by design," and to execute on opt-out, access, deletion, and other data subject requests efficiently and thoroughly across all data sets. Based on this review and our gap analysis, solutions requirements will be documented; solutions will be designed, built, and tested; and workflows for remediation activities, if any, will be created and scheduled. As part of this process, we will build in compliance assurance tools and metrics to monitor, maintain, and continuously improve compliance.
Our existing self-service privacy portal for receiving and processing Data Subject access and rights requests under GDPR is being expanded to cover all consumer and all data subject rights under CCPA. We are further automating back-end processing to improve efficiency.
We are simultaneously reviewing and updating our privacy, security, and data governance policies, including our external facing Privacy Statement, to reflect CCPA requirements not already covered. In addition, we will assess compliance against existing and upgraded policy requirements.
Vendor and service provider agreements, already upgraded to cover GDPR requirements, will be further modified to address any CCPA-required controls and flow downs.
We are developing enterprise-wide CCPA training.
We are also simultaneously updating our privacy impact assessments, including data mapping and retention/destruction schedules to ensure that all impacted data sets - both Neustar and customer-owned data-are properly identified and mapped, and that both risks and risk mitigation approaches are documented and addressed.
Neustar participates in a variety of industry self-regulatory regimes, which we expect will be updated to address CCPA requirements. We anticipate that cross-industry consent management tools developed for GDPR may be adapted for CCPA as well, and we are actively participating in discussions to this end.
Neustar understands that the situation is still quite fluid, and that changes could come from a variety of sources. We are prepared to execute on regulatory and/or legislative changes to CCPA, competing state privacy laws, and even preemptive federal laws that may emerge.
Whether through CCPA or another vehicle, dramatic change is coming to the US privacy landscape. Neustar is prepared and eager to meet and deliver on increasing consumer demands to respect personal privacy as a market-place differentiator - and to help our customers do the same.