Data Mapping for CCPA
In the United States, data privacy laws have not been expansive or comprehensive enough to warrant American companies compiling data maps, especially with how historically difficult it is to do so. In fact, it was the passage of the GDPR in the EU where user rights like data subject requests (DSRs) and clear opt-in consent became tenets companies instituted to stay compliant.
In the years since the GDPR, the U.S. has attempted to play catch up with its own data privacy regulations, and while the nation is still far away from passing federal legislation, states have taken the impetus to carry the baton of data privacy.
The state leading the charge is California, which passed the California Consumer Privacy Act (CCPA) in 2018. The law was not as strong as its proponents anticipated, which has led to the California Privacy Rights Act, effective as of January 1, 2023.
As Virginia and Utah also have data privacy laws coming into effect this year, this wave of momentum means American companies need to take data privacy more into consideration than ever. With the strength of the amended CCPA alone, companies processing the data of a single Californian need to comply with the law, which will impact privacy programs across the country.
While data mapping for CCPA is not an explicit requirement, just as it is not for GDPR, it has emerged as the best tool for companies looking to comply with a bevy of stricter legislation.
What is Data Mapping?
Data mapping is a compliance-driven process of identifying and recording all user data an organization processes and stores. Data mapping aims to understand the who, what, where, how, and why of data processing, accounting for the collection, use, storage, and sharing of data.
- What data is being collected, processed, and/or stored
- Who in your organization has access to that data
- Where data resides, as in which specific systems and SaaS apps
- How data is being collected
- Why data is being collected
A complete data map, especially when visualized, will show links and systems that demonstrate how data flows in your organization.
Regulated Data under CCPA
The original CCPA legislation defines personal information as:
“Information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.”
However, the CPRA amendments create a new subset of regulated information, referred to as sensitive personal information (SPI), which is policed even more strictly.
- a consumer’s social security, driver’s license, state identification card, or passport number
- a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- a consumer’s precise geolocation
- a consumer‘s racial or ethnic origin, religious or philosophical beliefs, or union membership
- the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
- a consumer’s genetic data
The CPRA takes this new classification seriously, as a data map must feature a granular categorization of personal information types for regulatory compliance.
Why Data Mapping for CCPA Wasn’t Popular Before
Even though it has only been 5 years since the CCPA was passed, the technology in that time has advanced multitudes over.
Data mapping done before 2022 was typically a manual process documented on spreadsheets. It involved whoever was building the map to survey every department within an organization to understand which systems they were using, why they were using them, and what data was there.
The process took months if not more than a year and very often gave you an end result that was incomplete and outdated, as companies constantly turn over and add to their SaaS usage. Those challenges severely hamstrung the advancement of data compliance, but it was a legitimate reason for the lack of widespread data mapping under CCPA.
Even California lawmakers understand the difficulty of getting oversight over an entire privacy program, as the CPRA amendments have written in a difference in fines and penalties for willful violations versus negligent ones.
New Data Mapping Solutions
With the entry of multiple new players into the data privacy industry, the technological options available to companies of all shapes and sizes is impressive.
Automated data mapping has picked up a ton of steam over the past few years as companies leave behind the days of spreadsheets and compliance questionnaires.
The only problem is, many automated data mapping tools are still not thorough enough to truly kickstart a data privacy program and CCPA compliance.
Most data mapping solutions rely on website or cloud scans or SSO to locate data systems in use. However, website and cloud scans rarely account for more than 10% of total systems and SSO, while better, typically averages only between 30-40% of coverage. None of these options cover shadow IT or even unused systems, leaving immense risk within an organization for undetectable breaches.
This is where MineOS’ unique solution comes into play. Combined with our one-of-a-kind Email Navigator technology, we let users mix and match how they want to approach data source discovery. Our Email Navigator alone discovers the vast majority of a company’s data systems, and when run with SSO and scans can account for nearly 95% of sources.
Why Data Mapping for CCPA matters
Even if creating a data map with MineOS’s solution can discover and classify nearly all an organization’s data, data mapping is not a CCPA or CPRA requirement. Why should any organization bother if the strictest data privacy law in the U.S. does not see a data map as a necessity?
- Because data mapping is the future of compliance, and those that adopt it and take advantage of new technology now will have a considerable leg up on competition when future data regulations do include data maps as a requirement.
- Data mapping for CCPA compliance currently facilitates and makes a number of regulatory requirements much easier (for the CCPA and GDPR).
Data Mapping for CCPA as the Core of a Privacy Program
Having proper overview of nearly all the data in your organization enables faster fulfillment of required compliance tasks like:
- Record of business processing activities
Similar to the RoPA requirements in the GDPR, businesses need to be able to produce a comprehensive report on their data processing activities if prompted by California authorities.
- DSR fulfillment
CCPA brought users widespread individual data rights to the U.S., and large companies will often receive hundreds of DSRs a week asking to delete, clarify, or correct personal information. If a company does not know where data sits within its organization, satisfying DSRs becomes a tedious and time-consuming task.
- Data breach notification
CCPA requires companies to notify users in a timely manner if their data has been involved in a data breach. If an organization does not have a thorough data map that accounts for shadow IT, how can they be sure if a data breach occurs, where it happened, and who was affected?
- Maintaining consent management
Another core right the CCPA brought to Americans (Californians specifically, but many Americans based on how business is conducted online) was consent opt-in and opt-out. This essentially boils down to individuals being able to consciously say ‘yes’ or ‘no’ to companies processing, sharing, and storing their data when they use a service. Data mapping for CCPA purposes means consent management is easier to track and avoid violations.
CCPA Increases Compliance Stakes
In addition to the value added through data mapping and the widespread expansion of ways to create a data map more accurately and quickly than ever, the CPRA amendments to the CCPA make compliance more of an organizational building block than any American data regulation.
What do we mean? The original CCPA largely concerned the selling of data, but the CPRA has expanded the scope of the regulations to include the selling and sharing of data. This alone means companies need to be much more careful about how and who they share data with, and makes it a virtual need to lay out a geographical map of where data is going. On top of that, the CPRA now also grants employees these rights, meaning yet another layer of data responsibility.
Meanwhile, the original CCPA 30-day grace period to fix violations has been eliminated, meaning organizations must always be vigilant of their compliance, and fines have been hiked across the board, now sitting at $7500 per affected individual for willful violations or any violation involving a child’s data.
With the newly created CPPA agency to help oversee enforcement, California is taking data privacy as seriously as the EU.
Getting Your Data Mapping for CCPA Going
When considering the overall value proposition of data mapping, the fact that data mapping solutions are more readily available and accurate than ever, and the CPRA amendments that make the CCPA stricter, companies that don’t look into creating a data map are gambling with their organization’s brand and reputation.
Both evolving compliance requirements and the benefits data mapping brings make it an easy bet to make on the future, while also improving a company’s current privacy program.
If you want to get your data mapping for CCPA in place before the CPRA becomes enforceable on July 1, 2023, check out how MineOS surpasses other data mapping automations to truly bring you full coverage with a demo and free PoC.