Comparisons have already been drawn about the California Consumer Privacy Act (CCPA), calling it ‘the GDPR for California residents.’ However, drawing comparisons to PCI DSS as the title suggests may cause some eyebrows to raise. Protection of the privacy and personal information of California residents, as broadly defined in CCPA, has core components, which are comparable to GDPR and PCI DSS.
In June 2018, California became one of the first U.S. states to enact a comprehensive consumer privacy law known as the California Consumer Privacy Act (CCPA), which became effective January 1, 2020. For organizations that collect and process personal data, CCPA is expected to have significant impact. CCPA gives California residents new rights regarding personal information and imposes new data protection responsibilities on organizations conducting business in California.
Your company is probably conducting business with California residents, or is conducting business in the state of California. With some exceptions, your company may be required to comply with the code listed in CCPA. Also, your organization may already be responsible for other data privacy and data protection requirements which will need to be reviewed, to ensure compliance with CCPA.
Many describe the terminology used in CCPA as ‘broad,’ leaving room for much legal debate. Nonetheless, three key areas pertaining to the privacy of personal information and data protection duties are comparable to GDPR and PCI DSS:
Not addressing these areas may leave your organization open to questions, inquiries, or possible legal action. This is because CCPA allows consumers to institute civil action against businesses when their personal information is left unprotected and is subjected to unauthorized access as a result of failure to implement those ‘reasonable security procedures and practices.’
It's useful to understand what is considered personal information and what data protection responsibilities your organization is required to have, as data privacy regulations such as CCPA may be the ‘tip of the regulation-iceberg.’ Several other states in the U.S. are already planning their own data privacy laws, and there are rumors of a federal data privacy regulation in the works.
Started in 2004, the Payments Card Industry Standards Security Council (PCI SSC) published a consolidated Data Security Standard (DSS) to protect cardholder data. Since then, PCI DSS requirements have been revised and updated continually to respond to evolving threats to cardholder data.
Currently on version 3.2, with talks of 4.0 planned to be released in the next few years, PCI requirement 3.4 stipulates that primary account numbers (PANs) must be unreadable anywhere they are stored. The requirement specifies that data stored in files and databases can be protected with encryption, tokenization, truncation, and one-way hashes. An additional requirement in PCI DSS, requirement 4, calls for similar measures to protect data being transmitted over public networks. Data can be taken out of scope if it is properly protected, such as with tokenization.
As previously stated, businesses must use ‘reasonable security procedures and practices’ to protect personal information or risk legal action, should a consumer’s unprotected data become exposed in a data breach.
PCI requirements are deemed ‘reasonable security practices and procedures’ by most professionals in the payments industry. Consequently, applying the key data security requirements from PCI DSS to CCPA, to include personal information beyond payment card data, may help fulfill the data security responsibilities in CCPA.
The General Data Protection Regulation (GDPR) is the latest version of a data privacy law that originated as the Data Protection Directive (DPD), which was first published in 1995. For residents within the European Union, keeping personal data private has been a high priority for many years.
Both CCPA and GDPR focus on the rights of the consumers, rather than the requirements to which an organization should adhere. Businesses then need to interpret those rights and determine how to invoke them. Definitions surrounding who and what information should be kept private are similar. Both CCPA and GDPR list similar rights for consumers regarding Right of Disclosure or Access, Right to data portability, Right to deletion, and Responding to Rights Requests.
The GDPR requires all organizations handling any personal data of individuals residing in the EU to bolster their data management and security strategy. This includes organizations based outside of the EU that handle data of EU residents, which means your organization may already have a GDPR policy in place. CCPA, of course, is focused on individuals residing in California but is similar to GDPR regarding the requirement for maintaining data privacy. This requirement also applies to organizations based outside of California who conduct business in the state or maintain personal data for California residents.
Both CCPA and GDPR use language to describe pseudonymizing and anonymizing personal information to preserve data privacy, and that data be kept private, to reduce the possibility of data re-identification.
Data-centric security focuses on placing data protection on the data itself. Since security travels with the data, the risks are greatly reduced for data exposure due to a data breach. Data-centric security addresses the core concerns of keeping data private (CCPA and GDPR), rendering data unreadable while in storage and in transit (PCI DSS), and deploying ‘reasonable security procedures and practices’ (CCPA).
We have a white paper written in conjunction with our partner, CyberEdge, which goes into further detail regarding how data security enables cross-regulatory compliance. Grab a complimentary copy at the link below:
As with all compliance requirements, regulations, and laws, it is important for your organization to have all the facts and proper information when making decisions.