The short answer? A lot, but not as much as you might have been told…
As I’ve traveled around California doing my “Blessings of the CCPA” presentation, I’ve been asked repeatedly about the “average” cost of a CCPA solution from CFO’s, GC’s and IT folks alike. It’s a loaded question as there are many requirements to the law, from policy and website disclosures to consumer data request obligations. One size does not fit all and your organization needs to spend time methodically planning its approach before setting aside budget and other resources.
While some unprepared organizations may need to beef up spending in the near-term, others may end up refining their programs over the coming years as they realize their initial investment wasn’t as strategic as it probably needs to be.
Decision makers, consider the following:
- What’s our true risk exposure based on the personal data we already collect, sell, barter, manage, etc. on behalf of our business partners?
- Can we do this all in-house or should we outsource some of it?
- Do we have any existing talent and software that might help streamline some of the CCPA’s major workstreams like data mapping?
- What kind of fundamental changes are we willing to make to our IT infrastructure?
- Do we fully automate self-service requests through API’s and is that even the right idea, long-term, given our risk, the evolving nature of IT and emerging legislation?
- How can taking a principle based approach to privacy using concepts like data minimization to insulate us going forward?
Clearly, all of us subject to the law need to protect our business and expect some activity, whether it be through consumer requests or even the limited right of private action afforded by the CCPA. That doesn’t mean you turn your entire organization upside down and fork over hundreds of thousands of dollars in licensing ransom! Change management on this scale first requires proper risk analysis, roadmapping and getting stakeholders to buy-in and be accountable.
Then what’s my next step?
Before you embark on this journey to become a privacy-centric company, the real question you should be asking yourself is….
Are there consultants and affordable software solutions out there that will leverage our resources and best minds to help us implement a proportional strategy that protects us?
Long-term solutions need to be fact-based and reasonable, recognizing the unique facets of your culture and business model. Big, complex and expensive isn’t always better.
It’s true there are some amazingly fancy privacy software products out there. But do you really want to spend a quarter to half-a-million dollars a year to fend off what might ultimately be a handful of consumer requests and opt-outs, when you can do the exact same thing with a far less expensive and better tool?
The bottom line…
There are so many vendors playing in the privacy space today and way too many folks are impulsively investing either too heavily or disproportionately in them just to “check the box.” Yes, of course you need to “check the box,” but running headfirst into this regulatory challenge could leave you with a budget nightmare and organizational headache you’ll soon regret.
The bottom line is your investment needs to be proportional to your risk profile and the complexity of your infrastructure and organization. Even then, you may not need a solution that costs you hundreds of thousands of dollars when you could be compliant and sleep comfortably for under $50,000 a year.