A new survey from Akamai looked into. how consumers are using new rights granted by the California Consumer Privacy Act.
Image: Akamai

Companies often rely on manual processes to respond to some of the most common data privacy requests from consumers, according to a new survey from Akamai.

Akamai conducted a small survey of US companies to understand how the California Consumer Privacy Act has changed the behavior of customers and companies. As privacy laws continue to pop up across the US, consumers are taking advantage of the new laws to understand what personal data companies collect and how this data is used. Responding to these requests can be laborious because the data is stored in multiple locations within a company and shared with third party vendors as well.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

The top two inquiries from consumers under the new law were requests to access personal data and requests to delete that data with 54% of survey respondents selecting those two responses. Respondents could select multiple answers. Opting out of the sale of personal data and explaining what data is being collected were the next most common answers at 50% each.

The survey also asked about which processes are automated, which are manual, and which required a mix of both. The processes most likely to be manual are:

  • Requests to delete customer identity data: 36%
  • Requests to understand what kind of data is collected: 28%
  • Requests for access to this data: 25%

Companies were most likely to have automated the ability for a customer to opt out of having their data sold. Disclosing the sale of data to third parties was the task most likely to be a mix with 55% of respondents indicated that.

Akamai’s Advisory CISO Steve Winterfeld said that because there is no one repository for customer data, companies are turning to customer identity and access management tools to comply with CCPA and other data privacy rules.

“You could one have person’s identity spread across multiple databases,” he said. “These platforms make it easy to make a change in one place and it will push it out to everyone.”

Winterfeld said that the challenge is working with existing IT infrastructure to comply with privacy laws.

“Companies will have to change what data they collect and how they store it,” he said.

Akamai’s Identity Cloud Security platform provides access to customer data and compliance with the appropriate privacy laws.

“We consolidate the data to create a master source of truth and we’re moving where companies want to move by putting the customer in charge of the data,” he said. “With this access, a customer can come in and update the data or take whatever action they want to take.”

The survey also asked companies who is responsible for privacy issues at a corporate level. The answer were:

  • Chief information officer: 32%
  • Chief technology officer: 29%
  • Chief legal officer: 18%
  • Chief customer officer: 9%
  • Chief privacy officer: 8%
  • Chief marketing officer: 3%

Winterfeld said the diversity of owners shows that privacy is a team sport. The legal team has to make sure policies are written correctly, the cybersecurity team has to make sure the IT architecture supports compliance, and the marketing team has to consider how they gather data and who they hire to analyze the data.

In a blog post about the new survey, Winterfeld recommends that companies map the requirements across local, state, and international laws and then figure out how to operationalize the compliance program.

The results in this report are from an online survey that was fielded from May 19 to June 4, 2020. It had 120 responses.