Bloomberg Law: Beyond the CCPA — Building a Privacy Framework for the Long Haul

Digital businesses are gearing up to adapt to another major data privacy law—the California Consumer Privacy Act that goes into effect on Jan. 1, 2020, and changes the calculus for virtually all companies interacting with California residents.

The new law is less robust than the European Union’s General Data Protection Regulation (GDPR) that was implemented in 2018, but it greatly expands the scope of what is considered to be protected data, requires companies to stop selling a consumer’s data at their request, and ensures they honor requests for information or delete personal information they’ve collected from consumers.

While laws like GDPR and the CCPA certainly present short-term compliance challenges, they are the result of recognized and growing public concerns about data privacy. A recent study from the Network Advertising Initiative (NAI) showed 52% of people have serious concerns about their overall privacy on the internet, with 88% being at least somewhat concerned.

Stop Scrambling to Comply Piecemeal

The changing paradigm of privacy law in the U.S. presents an opportunity for businesses to think more broadly and prepare for long-term data management and privacy first strategies that can be applied globally. Rather than scrambling to comply with each new regulation as it materializes, businesses should take this opportunity to develop robust, flexible privacy frameworks that are built to last.

This can be done by looking at consistent themes relevant in most privacy laws and building programs around these pillars. These key themes include:

  • transparency and notice to consumers of data collection activities,
  • accessibility of personal information,
  • choice and objection to data processing,
  • data minimization, and
  • data security.


If companies can build to these privacy mainstays, they can position themselves for long-term success in building a sustainable privacy program while also reducing administrative costs and liability.

Stopgap Solutions Aren’t Enough

For large, busy organizations, it can be tempting to focus solely on the latest privacy law, rather than the long road ahead. However, we’re still in the early stages of privacy regulation, and the changes and investments that companies choose to make now should be foundational shifts to build business around privacy safeguards, rather than just stopgaps.

When it comes to state-level legislation, California is often a first-mover, with other localities using its regulations to guide their own. Eventually, the U.S. may enact a federal data privacy law with guidance from California, or even the GDPR. However, without a national law, the final state of legislation in the U.S. will be a complex patchwork of local privacy regulations.

While it’s impossible to predict the coming details of legal requirements across states and countries across the world, digital businesses can stay a step ahead by focusing on the underlying pillars in the privacy space to build a robust privacy program. The CCPA simply codifies and reflects long standing privacy focused themes around transparency, choice, and security. Therefore, companies need not wait to begin to plan about long-term privacy compliance programs built to last.

Rather, companies can look for thematic guidance that exists today to guide core initiatives to build a privacy program. By embracing this type of structure, companies will have fewer structural changes to adapt to as details of new laws emerge. In this new landscape, privacy should be built into every facet of a business.

One example of a key theme is data minimization—that is, applying a principle rule to only retain personal information that is absolutely needed for day-to-day operations of the business and apply additional scrutiny to retention policies that retain data for infrequent or non-core use cases. This type of policy can be applied across every department, product, and initiative, without a prescriptive directive from any one regulation.

Another example would be creating framework processes that allow privacy teams to review and vet major changes to a business’s products or services prior to development. This type of general approach allows for companies to understand changes before investment begins, and can go a long way toward unwittingly expanding a company’s risk profile.

Striving for a New Gold Standard

While data practices around consumer information will continue to be increasingly regulated, future-thinking businesses can save countless hours of preparation and significant resources by making decisions today that invest in the long-term privacy structures.

With robust privacy frameworks as the foundation of compliance, companies can sustainably grow amid new laws, and further build valuable trust with customers, business partners, and the public.