As Featured on Yahoo! Finance:
As CCPA redefines the power dynamic between consumers and businesses in California and across the nation-- global IT and security provider Technologent says businesses in every sector must catch up on education and clear plan implementation to avoid regulatory and financial disaster.
The stakes couldn't be higher for businesses in terms of personally identifiable information (PII) data security, implementation, and disclosure to avoid CCPA disasters. With the Attorney General (AG) starting enforcement in July 2020, covered businesses must have appropriate solutions implemented and working. Security and IT experts like Technologent field CISO, Jon Mendoza, says that's a tall order for a short time frame. "CCPA is an unprecedented shift in consumer data protection for California businesses and those around the country where getting it wrong can mean fines in the millions that can permanently cripple a business," explained Mendoza.
CCPA requires that covered businesses put mechanisms in place for consumer right to access, the right to delete, the right to opt-out (or opt-in for 16 and younger), and the other requirements of the California privacy law. Civil penalties from the AG can start at $2,500 per violation and go as high as $7,500 if deemed willful intent. (1) This can be extrapolated by thousands of customers under the same violation, which can mean an astronomical collective fine. While the recent Salesforce data breach is the first test of the law, it will certainly not be the last. (2)
CCPA Compliance a Moving Target for Businesses
Estimates put CA businesses covered under CCPA at 75%, but many businesses across the country also meet the regulatory threshold for mandatory compliance with huge customer bases in the state. More importantly, CCPA is only the start as over 150 new consumer privacy bills were introduced in 25 states and Puerto Rico in 2019. (3) Then there is also the ongoing push for a federal law legislation. (4)
Adding to the complexity and confusion for businesses are the ongoing amendments to the legislation. (5) The potentially heavy burden of process and technology implementation to meet CCPA regulations is made even greater by the constant changes before the looming July 1, 2020 enforcement deadline. According to Mendoza, businesses should start their compliance journey by adopting NIST Cybersecurity Framework rules, which helps them to think in terms of risk and adapt to a future of legislative privacy changes. (6)
Companies are employing technology and automation for CCPA data discovery and workflow software among other types at higher rates than for GDPR. (7) That's because the process of making sure a business is compliant is complex. But it starts with putting data management controls in place to protect its operations from falling outside the scope of CCPA guidelines. Time and technology-consuming steps like mapping data flows, strengthening data security controls, and developing/implementing consent records are just the beginning.
Things get more complex with development of data collection/retention policies and the technologies that make it possible. The same goes for internal and external access polices and breach notification policies and audits. Then there are the mobile and website updates, cloud strategy integration, and the crucial workflow and systems creation for managing data rights requests.
Making CCPA Compliance A Reality
One example of out-of-the-box solutions are cloud providers like AWS with robust CCPA compliance options available. The challenge here is businesses must have a clear security plan that integrates with their cloud strategy and an accurate understanding of how to implement the controls. By taking a data centric approach, business can begin the work of categorizing data, setting usage guidelines, developing privacy policies and implementing the technology tools to handle assessment and usage guidelines.
A PWC study shows that many CA companies are restricting their CCPA rights to Californians. Recent percentages for this approach range from 55% to 75% of health, finance, consumer, technology/media telecom, and industrial products/services companies for now. (7) Many cite cost and complexity as the reasoning.
Despite its good intentions, CCPA is still an evolving law, which means there are numerous vagaries that can trip up a business until they are clarified. Even the process of clarification and evolution of the law is making preparation a greater challenge between now and July 1, 2020. On February 10, 2020, the California Attorney General published updated proposed CCPA regulations. (8) These encompass notice of collection, mobile applications, accessibility and a host of other aspects of the law.
There is no definitive industry standard compliance examination currently in place. This essentially leaves businesses on their own in developing a means for implementing and showing how they are meeting consumer privacy needs and adhering to the PII data compliance law. "It's clear that even larger enterprises with unlimited resources and security support have trouble getting it right," said Mendoza. If you're going it alone or just hoping to skate by, your risking your entire business."
About Technologent
Technologent is a Global Provider of Edge-to-EdgeTM Information Technology Solutions and Services for Fortune 1000 companies. We help our clients outpace the new digital economy by creating IT environments that are fast, flexible, efficient, transparent and secure. Without these characteristics, companies will miss the opportunity to optimally scale. Technologent mobilizes the power of technology to turn our clients' vision into reality, enabling them to focus on driving innovation, increasing productivity and outperforming the market. For more information, please visit http://www.technologent.com.
- Keir Thomas Bryant. "CCPA Non-Compliance: What Are the Penalties." Sage, February 3, 2020, sage.com/en-us/blog/ccpa-non-compliance-penalties/#gate-ab515c6e-7e90-4c2f-a67e-113872516e8b
- Daniel Stoller. "Salesforce Data Breach Suit Cites California Privacy Law." Bloomberg Law, February 4, 2020, news.bloomberglaw.com/privacy-and-data-security/salesforce-data-breach-suit-cites-california-privacy-law
- 2019 Consumer Data Privacy Legislation, National Conference of State Legislatures, February 3, 2020, ncsl.org/research/telecommunications-and-information-technology/consumer-data-privacy.aspx
- Zack Whittaker. "A new Senate bill would create a US data protection agency." TechCrunch, February 14, 2020, techcrunch.com/2020/02/13/gillibrand-law-data-agency/
- Christopher J. Buontempo. "Analysis of Attorney General Regulations to the CCPA (as Updated February 10, 2020) – Part 1: Notices to Consumers" National Review, February 13, 2020, natlawreview.com/article/update-analysis-attorney-general-regulations-to-ccpa-updated-february-10-2020-part-1
- NIST Cybersecurity Framework, National Institute of Standards and Technology. nist.gov/cyberframework
- "How Are Companies Preparing for CCPA," Price Waterhouse Coopers, October 30, 2019
PWC CCPA Watch, Price Waterhouse Coopers, February 2020, pwc.com/us/en/services/consulting/cybersecurity/california-consumer-privacy-act.html
- Christopher J. Buontempo. "Analysis of Attorney General Regulations to the CCPA (as Updated February 10, 2020) – Part 1: Notices to Consumers" National Review, February 13, 2020, natlawreview.com/article/update-analysis-attorney-general-regulations-to-ccpa-updated-february-10-2020-part-1