When the impact of the California Privacy Protection Act is discussed, the business community tends to be treated as a homogenous block with homogenous interests. Of course, it isn’t. “The business community” has, in many ways, a much more diverse set of perspectives than other stakeholders in the data privacy discussion. Some businesses are built on the back of user data and have efficient data management at the core of their identity. Others are built on the back of pizza. Let me explain.
A few weeks ago I visited a regional pizza chain at one of their four San Francisco locations. I ate a truly delicious pie. But, job-obsessed as I am, I realized I was looking around the restaurant while eating, wondering to myself: Who exactly is looking out for businesses like this when CCPA comes into effect on January 1st, 2020? A regional pizza chain is not a FAANG (Facebook-Apple-Amazon-Netflix-Google)-sized company. User data is a useful but secondary component of their business. Most pizza chains can’t employ lobbyists to bring their concerns directly to privacy regulators. They are unlikely to have huge internal legal and technology departments. Their marketing teams, if they’re in-house, are less likely to have the resources to stay up to speed on the latest regulatory frameworks.
To put a finer point on it, debate over the impact of the CCPA is mostly portrayed as a pitched battle between Fortune 500 heavyweights and government regulators. But there’s a whole class of enterprises caught in the crossfire that goes underrepresented in the media. After all, the revenue threshold for companies subject to the CCPA is $25 million annually — low enough to qualify many “small businesses”. A business is also subject to CCPA if they buy, sell or share information of 50,000 consumers — many with that scale of operations still sit comfortably in SME (small- and medium-sized enterprises) territory.
I want to outline some unique SME concerns and propose some CCPA solves that are generally suited to SME-level capabilities. I believe the marginal effort required by most SME’s to be CCPA compliant is generally greater for some of the reasons I mentioned. But there are also data privacy efficiencies SMEs can avail themselves of that may not be available to larger businesses.
The first point to emphasize is organizational. A Fortune 500 company may have more resources to throw at data privacy compliance, but teams get top-heavy as they grow, and change gets hard. In an SME, assigning data privacy accountability to an individual — and empowering them to achieve it — can turbocharge the speed of reforms. The CCPA doesn’t require businesses to designate a Data Protection Officer. However, in a business like the pizza chain I ate in, a DPO can channel all the diffused concern about privacy compliance into a single, powerful focal point, and that position can in turn enact quick change. I highly recommend SME’s concerned about the CCPA take the plunge and appoint a DPO, even if the law doesn’t require it. It doesn’t have to be a new hire; this is more about the benefits of centralizing accountability.
The second point to emphasize is streamlining the technology stack. Once again, SMEs should generally enjoy some scale-based advantages in this area. A large multinational company will likely have regional, national and corporate marketing teams all holding some data on their California customers, and in my experience, it’s also very likely these different teams won’t have much overlap in the technology tools they use to collect, store and process this data. So the company must either take data from multiple tools and merge it into one privacy-vetted solution, or conduct compliance audits and adjustments on overlapping pieces of technology. Neither option is very efficient.
Conversely, a smaller business that runs marketing through a single department is less likely to be doubling up on tools for data collection, storage and processing. They might use a single tool for email marketing, where their larger competitors have emails being stored and leveraged by three or four different pieces of software. Here, the SME’s advantage is clear, and it should be maximized.
I recommend that SMEs take care wherever possible to avoid duplication of solutions to any data-adjacent business activities. Since teams are sized manageably, this should be comparatively straightforward to ensure. And the benefit is that there are real efficiency gains for data privacy compliance that come from a streamlined technology stack.
The final point I want to make is related to the previous two, but it’s less to make a recommendation and more to highlight an opportunity.
There are a few things we know concerning data and business in 2020. We know data-driven decision-making can boost business efficiency and ultimately, profit. For smaller companies and companies at an early stage of their lifecycle, sharpening data operations can yield all kinds of benefits.
We also know that governments all over the world are starting to regulate this part of business. Sharpening data operations is no longer optional — it’s legally required in some territories. The point is that if SMEs are forced to refine this crucial part of their infrastructure now, not later, they should view it as an opportunity. It’s a chance to gain a competitive advantage over teams that aren’t bound by CCPA requirements, and thus aren’t obligated to move as quickly. I think it’s vital for SME teams to see this opportunity clearly.
To conclude, I appreciate that many smaller businesses can feel caught in the crossfire regarding the CCPA. But I hope this article has made the challenge feel a little more manageable. To recap, I recommended SMEs grappling with CCPA compliance focus on three things:
- Concentrate data privacy responsibility in the organization by appointing a DPO.
- Take advantage of smaller scale by streamlining the data tech stack as much as possible
- Be mindful of the business benefits of sharpening your data operation, so that the CCPA can be viewed through the lens of opportunity instead of obligation.
Privacy expert and engineer Cillian Kieran is the CEO and founder of privacy company Ethyca. Kieran has extensive technical experience working with legacy enterprise organizations such as Heineken, Sony, Dell and Pepsi, building data platforms, visualization tools and leading strategic advisory in change management and data governance policy definitions and liaising with CIO, CDO and legal counsel.