RSCC spoke with Steven Elm, director of data science and a technical lead at an organization of more than 3,000 people, about getting compliant with the California Consumer Privacy Act (CCPA),[1] which went into effect July 1, 2020. Elm implemented the plan at his organization. The following is an edited version of an email interview.
RSCC: When did you begin working on CCPA compliance? Did you feel like you had enough time to implement the necessary changes?
SE: I read the text of the bill the week it passed the Assembly. I brought it up at a staff meeting but Jan. 1, 2020, was still months away, so we shelved discussion for a while. One of the attorneys and I agreed on a general approach at the time. We ended up hurrying up to have things implemented in time for January. Honestly, I think companies were given plenty of time to implement CCPA.
RSCC: Did you base your changes on the final rule that is currently waiting to be approved or another set of standards?
SE: We adjusted our approach slightly to fit the final rules. There are still some areas that are not totally clear to us. For example, most of our data sharing is in the context of advertising. The kind of data and the reasons for sharing in the digital advertising space are nebulous, and it is hard to tell if we’re “selling” data or not sometimes.
RSCC: What resources were you provided with to complete the project of achieving CCPA compliance?
SE: I was working closely with an attorney. We had access to our corporate data protection officer (DPO), but he reviewed what we did to make sure we were following the rules rather than telling us how we should be implementing things.