The California Consumer Privacy Act (CCPA) was approved by the Governor of California in 2018 and as of January 1, 2020 it is in full effect. The purpose of the act is to ensure that organizations are held to account for the way that they use and process consumer data. By virtue of California’s economic importance in the United States, the CCPA will leave many companies across the world no choice but to comply. To help prevent the harm of data breaches, accidental exposure, and non-compliance, here are a few tips on how your business can stay on the right side of regulation.
Hopefully you already know this one by now, but just in case, the onus is firmly on companies that collect and process data of residents of America’s most populous state. CCPA is applicable to any company that conducts business in California, even if that business is based elsewhere.
Knowing what's at stake can help you drive compliance initiatives in your organization. Failure to comply with CCPA will result in significant sanctions with statutory damages between $100-$750 per record breached. However, a California court may deem that the penalty be increased, depending on the implications of the breach. In fact, sanctions can reach as high as $7,500 for intentional violations, and $2,500 for unintentional violations.
The term ‘data’ encompasses several different forms of raw information such as information that identifies, relates to, or could reasonably be linked, directly or indirectly, to a specific consumer or household. Indeed, the act ensures complete protection of information such as names, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license number, passport number, along with a multitude of similar identifiers. These are the data elements for which you first need to gain consent to collect, store, and process and then will have to protect with tokenization, encryption, etc.
Similar to the rights afforded to EU data subjects under GDPR, the introduction of CCPA means that California residents have the right to request information on how their data is being collected and what is being done with it. This means that privacy warnings must be fully accessible with alternative format access clearly laid out so that everyone can comprehend how their data is being used. You may have already noticed some websites now have links in their footers that say "California residents only: do not sell my personal information."
Even if you have consent to store and process personal data, the data you keep still has to be protected. This is a particular challenge for organizations that process large amounts of personal data, especially if they share that data with third parties, for example, by storing it in the cloud. Ideally, data should be protected the moment it is collected and only deprotected when absolutely necessary.
In short, if you're GDPR compliant, you're well on your way to being compliant with CCPA. For more information, see our previous post on the subject.
The introduction of this regulation means that companies operating in California must be increasingly vigilant with how they deal with consumer data. Failure to do so will result in hefty and public fines. In fact, the introduction of CCPA should be a call to action for businesses regardless of geographical location. Businesses shouldn’t wait for security best practice to be legislated before they act. Instead, companies around the globe should take strides to make data more secure by applying a data centric approach to customer information, securing it across all stages. Indeed, it may only be a matter of time until privacy acts like CCPA become encoded in federal law. Similar legislation is popping up all over the globe. The fact that data is becoming more important and valuable means that it will surely be target more by criminal organizations. Don’t put your business at risk; CCPA should only be a starting point in your journey to total data security.