The California Consumer Privacy Act of 2018 (AB 375)1 is expected to set a new standard for consumer rights regarding collection and usage of consumer data, and companies will be challenged as they modify IT systems and processes in order to comply. The act requires that business must track the three points (referred as threeWs hereafter) namely – “What do they collect about the consumer”, “Why do they collect this data” and “Whom do they share this data with”.
Being AB 375 compliant is not just about ‘fixing one application or one system’. It’s part of the entire organization. This article focuses on the act’s impact on enterprise IT systems, specifically on-premise and cloud CRM systems.
What is the role of CRM in the context of this law?
CRM system typically being master of customer information data domain, the law means CRM system will have to “know” the three Ws. This also means that all the underlying system that use the consumer information “inform” CRM, so that CRM can carry out the four key demands of the law – explicit opt-in (for minors), opt-out, delete consumer’s personal information and provide customer information to him on demand. Due to the fact that law takes a wide view of what constitutes consumer information, the system will also have to put safeguards in place to treat them as such.
Such a program will require the two steps broadly mentioned below. For all practical reasons and purposes, each step will be a separate project.
Step 1: Assessment
Personalized customer experience increases revenue and loyalty2. For differentiated and personalized services, companies depend on data type, quality, and quantity. Some of the customer information is collected directly from the customer during normal operations, and rest is sourced from other channels. Recently, to differentiate themselves from others, companies have been moving towards extreme personalization3. This shift means businesses possess and use more than ever personal information and preferences.
An important step towards compliance with AB 375 is to understand data sources and how data moves in your organization. Assess all sources and systems where the personal information is stored, used and shared – from both technology and legal perspective. The more scattered the information is, the more expensive and time consuming the solution will be. The output of the assessment phase should include a high-level approach, current, and future state technology architecture, current, and future state data architecture, use cases(epics), implementation timeline and change management requirements. Change management would encompass both business process and human side of changes.
Step 2: Implementation
Every effort should be made to store all the personal information (PI) in one logical “customer” object where each record represents a customer. To keep the impact footprint small, it makes sense to make CRM as master of consumer information data domain. An enterprise MDM solution would aid in the process so that a customer can be uniquely tracked across all the systems. Customer data object in CRM should be extended with a child object (say ‘PI Tracking’) for information tracking. This tracking object will be a master object that contains all the information about the usage of customer’s PI. Purpose of the information sharing and consumer (who utilizes the data) details should also be logged.
CRM system will work two-fold – continue to be used normally, as well as become source of truth for customer’s information sharing and tracking log. Natively integrated systems can update such logs with ease. CRM should also provide a service that can be consumed by consumers. Any system that uses PI should use this service and create a tracking record in CRM. Upon verified request, a report can be created from this tracking data and shared with the customer.
Before any PI data is sold to external parties, tracking record should be created for three Ws for the customer record. It should also mention PI attributes and usage. If data is being sold to an external entity, then, the external entity details should also be stored in the CRM system. Tracking record should also contain a unique identifier of the external entity. Whether all the “sold” records be stored in custom RDS for future audit purposes could be another design choice after weighing the pros and cons. If the consumer is a minor, then, his or her information can’t be sold without taking his or her explicit approval prior to selling. The information sharing processes must take it into account.
A customer may request to opt-out, may ask the business to share what information they possess and how that is used, and delete the personal information. In case of minor customers, the process must be designed to seek their explicit approval prior to selling their information to third parties.
Business has to implement a new service request process. Service request capture processes will need to be extended for three additional options.
- Deliver PI
- PI opt-out
- Delete PI
Data tracking through the systems and the data’s purpose is the most difficult task. Hence the lesser number of systems the data is maintained, the better solution architecture. Probably, the best approach is to maintain customer information data domain within the CRM system. CRM can expose real-time/batch services that can be consumed by consumers. Customer object should be extended by a child “PI tacking object”. The purpose of the tracking object is to log all the usage of the PI by all the system including CRM system. This clean design based on an extension of customer record will enable to generate a report from the customer’s audit logs from PI tracking object with ease. Report generation and sharing with the customer can be automated. Whether or not to spend on automation will depend on expected requests volume and service cost.
When taking customer request for delivering PI, an additional information from the customer should be captured. This should indicate the preferred method of report sharing. There are two options for customer – request by mail or electronically.
For mail functionality, create report from the data in the PI Tracking object with customer as a dynamic filter. Access to execute the report should be provided only to select individuals and should be auditable. Masking of PI would also be needed. If report is to be electronically shared, then, information should be in portable data format that can be used by other entity without hindrance.
A customer can request to opt-out from information sharing (selling) with third parties. An auditable flag should be maintained to indicate Opt-Out-of-Sales for each customer. Upon receipt of verifiable request, relationship officer should update this flag. If this flag is true, PI of the customer should not be sold to anyone. Assuming there will be existing batch/real-time interfaces, such integrations will require modification to verify the flag prior to extracting customer information for selling.
Also, all these systems of records will have to expose service which can delete the customer PI if the customer wishes. The service should delete the PI if it is not required to carry out transactions, security reasons, debug and repair functionality, required by law and legal reasons. Business shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records. Thus 3rd parties will also have to expose a service that will be consumed by the CRM. The response from the third party should also be recorded in CRM for audit purposes.
- Think about long term
- Backup and archival
- Change Management
Doing the system modification only for California consumers is a short-sighted solution. Other states will follow suit sooner or later. It is impractical to keep adding exceptions in the business layer of CRM systems. In layman’s terms – it will mean rendering different UI components and adding branches in business processes based on Consumer’s state of residency. Consumers who change States (California to other states) will add another layer of complexity. Even if a business decides to implement for one state for now, the solution should be scalable and configurable to add new states in future. This approach will help in long-term and also reduce repeated IT development.
PI tacking object’s record growth will depend on variety of customer record, number of customers and frequency of the PI usage. Performance must be considered for optimal design.
Although law does not say anything about backup and archival. But if business has any data backups or archival with PI data, then, it should also be considered for fool-proof design. This question will be more complex in Cloud CRM solutions where there is typically less insight into platform vendor’s data backup processes and tools.
Although not in the law, but typically personally identifiable fields are encrypted as a standard practice. Encrypted fields bring their own challenges regarding search capability and indexing etc. This could have an impact on your existing business processes. Thorough assessment should be done in this regard.
Change management should take into account the system changes for training the resources. Also, review the terms and contracts, and update them as necessary.
Note that agility of Cloud CRM system in general does allow for making changes quickly with small investment. On-premise solution traditionally will require longer to comply and will be more expensive to adhere. However, in both the scenarios, integrations with other systems will require changes and may vary in difficulties and complexity. Hence, assessment and implementation should be planned backward.
1. Bill Text – AB 375 Privacy: personal information: businesses. Retrieved September 10, 2018, from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
2. Personalized Customer Experience Increases Revenue And Loyalty. Retrieved September 25, 2018, from https://www.forbes.com/sites/shephyken/2017/10/29/personalized-customer-experience-increases-revenue-and-loyalty/#5acaa2d34bd6
3. Extreme Personalization Is The New Personalization: How To Use AI To Personalize Consumer Engagement. Retrieved September 30, 2018, from https://www.forbes.com/sites/briansolis/2017/11/30/extreme-personalization-is-the-new-personalization-how-to-use-ai-to-personalize-consumer-engagement/#7c7d30d8829a