AI for Compliance — Is your business ready for CCPA?
IBM Cloud Private for Data (ICP4Data) is a DataOps platform for your business’ information governance journey. Your business needs to collect, govern and analyze data seamlessly so that you can infuse AI to your analytic applications and accelerate your regulatory compliance.
That’s a lot of requirements. Let’s first look at compliance.
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020 and its impact is not limited to businesses located in California. In fact, IAPP estimates that the CCPA will directly impact half a million businesses in the US alone. If any of the following apply to your business, you’ll need to comply:
- Your company’s annual revenue exceeds $25 million.
- Your company receives information from over 50,000 consumers, households, or devices annually.
- At least half of your annual revenue comes from selling personal information.
Although the law goes into effect in January of next year, the California attorney general has until July 2, 2020 to publish the regulations. Please note that the legislation is something passed by lawmakers whereas the regulation is the standard that will enforce the law.
To really understand the implications of CCPA for businesses, we have to fast forward seven and a half months to January 2020 and describe a scenario. Imagine that customer John Doe writes an email to his favorite retailer:
Dear BigFish Sporting,
I don’t know who you are and why you send me marketing emails multiple times a week. Please delete my data.
John Doe
Tracy from the marketing team forwards the email to the IT department to confirm that John Doe is a BigFish customer.
10 days later, when John Doe gets a survey email from BigFish Sporting, he gets frustrated and sends another reply:
I sent a request to delete my data 10 days ago. Why am I getting a survey? I also keep getting your marketing emails. Are you going to delete my personal data, or should I contact my local regulator?
Thank you.
John Doe.
BigFish Sporting is headed for big trouble if John Doe contacts the regulator. The penalty for each individual violation is $2500 if unintentional and $7500 if intentional.
So, what are the specific compliance obligations for the business and what can they do proactively?
CCPA compliance has two components:
- Disclosure obligations
- Information governance obligations
Under the new law, business websites and other venues for collecting personal information must offer consumers detailed information. Specifically, businesses need to tell consumers:
- Their rights under this regulation
- The categories of information being collected
- How the business will use the collected information and whether the business will share or sell information to 3rd parties
- What information was shared or sold to 3rd parties in the previous year
In addition, businesses must offer consumers a clearly visible opt-out link that lets the consumers convey that they don’t want the business to share or sell their personal information.
That describes the first component of the regulation. The second component centers on information governance, which is likely to be more complex and expensive for most businesses. Information governance includes the ability to find all of a consumer’s personal information within any data lakes or data warehouses.
Essentially, it is a three-step process:
- Discovering and classifying metadata where business meanings are assigned to any cryptic metadata
- Curating content (extracting terms, descriptions, policy and controls) from CCPA regulation. This will require legal and compliance experts to review.
- Mapping data to find personal information in all data assets, categorized by the CCPA obligations. Again, this will require legal and compliance experts to review.
For most businesses, even one of those steps will sound intimidating. Working through all three by next year could pose a huge challenge.
What’s the lesson? CCPA compliance is going to take a large and coordinated effort across your business. Certainly, it’s true that in the era of AI, a huge number of workflows are driven by machines that learn and train themselves — whether the monitor ad clicks or predict customer or employee churn. But CCPA — and other regulations — demonstrate that human experts must still drive the workflow in regulated businesses.
To assist those experts, we identified the potential for Natural Language Processing (NLP) technologies to assist with regulatory workflow. The result is a fully AI-powered regulatory accelerator tool within our ICP4Data offering that helps with all of three of the information governance tasks mentioned above.
Since we tackle this problem as part of a broad information governance workflow, you can leverage your existing privacy and masking tools and use REST APIs to plug the data in with your existing compliance dashboard or tracking tool. No need to start from scratch with new tools.
Watch this short video and let us know if we can help you finish this daunting task with ease:
