California Consumer Privacy Act (CCPA) / California Privacy Rights Act

Orion Governance Use Case

Achieving Privacy Compliance

The CCPA and other state privacy acts are the result of unregulated practices, lack of accountability, and lack of standards. Collecting, buying, selling, sharing, and transferring personal data without individual consent had been widespread. Also organizations were not disclosing data breaches, hacks, leaks, or loss of personal data that might include personally identifiable information, location information, shopping/viewing/surfing habits, etc.

The CCPA is the 2020 law that enhances consumer privacy rights and provides consumer protections to residents of California in such matters. It requires:

  1. A privacy notice on the site and
  2. Provides the right to access,
  3. Provides the right to delete and
  4. Provides the right to opt-out

Sharing data with third parties often results in targeted marketing. Other states such as Colorado and Virginia followed suit and enacted similar laws. California laws were strengthened in 2020 when the California Privacy Rights Act (CPRA) was signed into law. Those provisions include:

  1. Firms doing business in California with gross annual revenue of $25M, or
  2. Firms that derive more than 50% of their annual income from the sale of California consumer information, or
  3. Annually Buy, Sell or Share personal information of 50,000 California residents.
  4. The CPRA has a lookback period of data collected by business from Jan 1, 2022, even though the CPRA goes into effect on Jan 1, 2023. So take the time and provide these functional capabilities.

Business denial could end up costing you.

What Does the California Consumer Privacy Act Do?

Gives the Consumer Ownership

Grants the rights to tell a business not to share or sell personal information

Gives the Customer Complete Control

Our data governance experts understand how hard enterprises work to avoid compliance issues.

Gives the Customer Privacy Rights

Our data governance experts understand how hard enterprises work to avoid compliance issues.

In some ways, the CCPA goes further than GDPR with the definition of consumer data. It includes derived data: “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.

Personal information categories include:

  • “Unique personal identifiers” (as defined):
    • Geolocation data
    • Purchasing, browsing and search histories
  • Biometric information; Notably, CCPA’s personal information includes “olfactory” and “thermal” information linked to a consumer or household
  • “Purchasing or consumer tendencies”; all of which are quite broad and indefinite.

Given this broad categorization, how should consumer data be identified? Companies must tag information that is collected directly as well as data that is linked to the consumer based on activities and business processes. For many organizations, conducting an initial assessment across disparate heterogeneous platforms is a daunting and time-consuming exercise.

Orion’s Enterprise Information Intelligence Graph (EIIG) uses sophisticated scanners to quickly and automatically examine different vendor databases across disparate technologies and file types. EIIG can even determine where and how such personal data is linked and moved across the enterprise. In addition, EIIG enables enterprises to compare the content, format, range of values, and data types in an automated fashion for similarities and differences, helping comply with data management and data security policies.

Orion’s Term2Asset module maps business glossaries and terms that describe consumer data using a broad brush into the specific physical data for semantic querying, and can thus vastly enable reporting and discovery for the business data steward. EIIG also analyzes, documents, and communicates results to a broad, diverse audience automatically.

Below are some steps that every organization could follow:

Data discovery and IdentificationAutomated discovery of data assets and cataloging metadata and their respective schemas, definitions, types, sizes, and inter-dependencies. Personal and Customer data tends to be spread out across relational databases, NoSQL databases, archived records in a data lake, data warehouse, or lake house, and Distributed File System stores (e.g., Hadoop etc.). Orion Governance’s EIIG platform supports all of these disparate technologies and can harvest data automatically.

Catalog external data sources – Vendor and third party data is often collected using different business processes than internal data, and may be used to enhance personal information through record matching and additional attributes.

Automatically document data flow and lineageData flow of various Critical Data Elements (CDEs) within the enterprise along with lineage is essential to ascertain where customer data moves, especially the primary customer identifiers, and sensitive personally identifiable data. Examples may include CRM systems like Salesforce, home-grown or SaaS applications such as email marketing, analytics tools, and other data stores. BI and/or reporting systems also tend to contain a lot of customer information that needs to be cataloged and included in the lineage process.

Implement a metadata repository and layer – Customer and prospect data may be spread across data stores, from transaction databases to marketing systems, under your control or through SaaS applications. A metadata layer is essential to help abstract different data sets and apply the proper restrictions on personally identifiable data.

Review data retention policies – While customer data cannot be deleted without a proper process in place, reviewing the company’s data retention policies with a metadata layer in place is a whole lot easier and provides the right level of visibility into these legal and regulatory processes that are essential for every company.

Orion Enterprise Information Intelligence Graph platform accelerates compliance in many specific areas.

Data Inventory

Orion EIIG Scanners discover all metadata (technical assets) to the finest grain and automatically build a catalog.

Term-to-Asset Mapping

Orion EIIG Term2Asset, through pattern matching and machine learning algorithm, automates data mapping to business glossary.

Data Portability & Transformation

Orion EIIG data lineage (technical and business) provides insights on how data moves, transforms across systems end-2-end.

Data Consumption & Metrics

Orion EIIG dashboard provides metrics on how data is being reported and/or consumed across systems.

Data Deletion (Right to be Forgotten)

Search on any data (field, job, task, report, etc.) and find out data flows (lineage) end2end throughout all systems to confidently delete the record.

Data Reporting

Orion EIIG Dashboard is configurable to meet reporting needs, in addition to REST API to extract data for external reporting.

Keeping Data Customer-Centric

Business Problem

Most firms today are not set up with their data to be customer-centric. Their customer data flows across many systems, departments, and gets shared/transferred with partners and/or 3rd parties. Being compliant with CCPA, GDPR and other state/national Privacy regulations requires you to be very customer centric, in order for the organization to be responsive and be able to quickly take the necessary steps in a timely manner (that is regulated with penalty implications when enforced).

The Orion Governance Solution

EIIG is the one tool you want in your arsenal when you have such a high need to be customer-centric. It can help the organization gather all the necessary information to build the customer/employee/vendor Master necessary to get a customer-centric agenda for data privacy underway.

Business Benefits with Orion Governance

Leveraging Orion EIIG you can put in place a solution that allows customers to:

  • see all the personal information your organization collects about them
  • know if you are selling their information and to whom it is being sold
  • decline the sale of their personal information
  • have a view of their personal information as it exists in your organization

With these capabilities, organizations can more easily re-architect to be privacy-first, more customer-centric and data-centric.

Find Out How Orion Governance Can Help Your Use Case

Connect with an expert to quickly discover how Orion works for you