A few other key notes: the CCPA remains in place and updates to its regulations go live January or February 2023; and on July 1, 2023, civil and administrative enforcement will begin, including the period from Jan. 1 on.
"I think the real problem here, the big challenge for businesses, is going to be around data governance," Moran says.
He described a common scenario in which a consumer goes to a company website and provides personal information for a purchase or inquiry for more information. That data then goes through marketing and other avenues within the business, so how does the business track all the movement of that data, and when it comes to deleting that data (especially if the customer requests them to do so), how does the business ensure complete deletion of that data occurs?
Veronica Torres, Worldwide Privacy and Regulatory Counsel at Jumio Corporation, says retention of data is an important aspect to consider and one businesses can often forget. There is no reason for a business to keep consumer data for 25 years, so it must think about what is reasonable and "where you don't need it anymore, delete it," she adds.
Torres also reviews access and deletion requests, which includes a consumer's "right to know" what is being done with their data, and the introduction under CPRA/CCPA of a new right to "data deletion."
Also joining the webcast panel is Orson Lucas, Principal at KPMG, who underscores some key areas businesses should focus on and prioritize with the looming deadline for the CPRA:
Focus on clear visibility into your data environment, which includes data mapping and data discovery.
Deploy technologies and tools that help you scale data management in a manageable way.
Pay attention, as Torres said, on data retention schedules to determining what data you are retaining, why, and for how long.
Watch the webcast for the complete list and more details, as well as to earn CPE credit for taking in the entire session.