December 21, 2020 — The California Consumers Privacy Act (CCPA) took effect January 1, 2020, and enforcement was slated to begin July 1, 2020. COVID-19, however, has impacted the law's rollout, causing companies to not implement the law and leaving many consumers without its protections. "With, or without COVID, there's a lack of understanding about CCPA," says Jon Mendoza, Chief Information Security Officer for Technologent. "For instance, one aspect of CCPA is you have to inform your third-party partners of a consumer's request—the onus is on you, not the consumer."
The CCPA allows consumers access to the information a company has on them, as well as the list of other groups that the company has shared or sold the same information. If a company violates these rules, a consumer has the right to sue.(1) According to Risk Based Security research, more than 4 billion records were exposed due to data breaches in the first half of 2019, from more than 3,800 publicly disclosed breaches.(2)
Meanwhile, several states have proposed or enacted similar legislation as the CCPA and the European Union's General Data Protection Regulation (GDPR). Some of these laws, like Nevada's, are even tougher than California's.(3) Furthermore, it is expected that President-elect Joe Biden will consider a federal privacy protection act as political pundits have pointed out, given Vice President-elect Kamala Harris' actions while she was the Attorney General of California and as a U.S. Senator.(4) "What began in California will continue steamrolling the nation and will most likely end up becoming a federal law. However, legislators have to allow for national emergencies, like the COVID pandemic, and ensure that even in the midst of such emergencies, the law takes effect and is upheld. The security of the nation and its citizens demands it," Mendoza said.
However, Mendoza explains, in the meantime, states have to push for stricter laws. According to published reports, currently, 47 states of the Union have weak or nonexistent data privacy laws. Almost 90 percent of the United States population uses the internet, but only California, Nevada and Maine have enacted strong consumer data privacy laws.(5)
Was COVID-19 an Obstacle?
While COVID-19 has resulted in many delays and pushbacks of regulatory deadlines, this has not been the case for the CCPA. California's Attorney General Xavier Becerra has stated his intention to make an example of any company that isn't trying to comply with the new law.(6) But the regulations may be more necessary than ever, with more companies increasing the data they are gathering about customers and employees, such as movement tracking and temperatures to screen for COVID-19.(7)
Technologent offers a master class that walks companies through compliance with the CCPA regulation to explain the law and how it affects their organization and the consumer, including the top 20 security assessment around data classification. To comply with CCPA, companies need to understand their information lifecycle, how they create their data, how it's shared among work groups, how it's stored and more. Understanding a company's technology capabilities for securing their infrastructure is key. "If your infrastructure is not secure, you could be vulnerable, not just to data exfiltration but ransomware—everything is interconnected with cybersecurity," Mendoza says. He cautions that there has been a significant increase in ransomware attacks that companies should be preparing for sooner rather than later.
While the pandemic may have caused companies to focus on setting up their workforce for remote working situations, rather than working to comply with the CCPA, they should prioritize making their programs compliant.
"There is a change coming—whether it's at the state or federal level remains to be seen—but I do believe 2021 is going to be the year when data privacy will be the top priority in the technology industry, and those who are lagging behind will pay a hefty price," Mendoza concludes.
Technologent is a Global Provider of Edge-to-EdgeTM Information Technology Solutions and Services for Fortune 1000 companies. They help companies outpace the new digital economy by creating IT environments that are fast, flexible, efficient, transparent and secure. Without these characteristics, companies will miss the opportunity to optimally scale. Technologent mobilizes the power of technology to turn vision into reality, enabling a focus on driving innovation, increasing productivity and outperforming the market. Visit http://www.technologent.com.
- Korolov, Maria; California "Consumer Privacy Act (CCPA): What you need to know to be compliant"; July 7, 2020; CSO; csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
- Winder, Davey; "Data Breaches Expose 4.1 Billion Records In First Six Months Of 2019"; August 20, 2019; Forbes; forbes.com/sites/daveywinder/2019/08/20/data-breaches-expose-41-billion-records-in-first-six-months-of-2019/?sh=386da1bcbd54
- Brumfield, Cynthia; "11 new state privacy and security laws explained: Is your business ready?"; August 8, 2019; CSO; csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.
- The National Law Review; "Election 2020: Looking Forward to What A Biden Presidency May Mean for Data Privacy and Data Privacy Litigation"; 12 November 2020; natlawreview.com/article/election-2020-looking-forward-to-what-biden-presidency-may-mean-data-privacy-and; Accessed 14 DEC 2020
- Turner, Gabe and staff' "47 States Have Weak or Nonexistent Consumer Data Privacy Laws"; 14 April 2020 (updated 16 April 2020); Security.org; security.org/resources/digital-privacy-legislation-by-state/
- Wilburn, Jessica; "CCPA, Regulatory Enforcement & COVID-19: What You Need to Know"; June 25, 2020; JDSupra; jdsupra.com/legalnews/ccpa-regulatory-enforcement-covid19-12807/
- Milligan, Robert B.; "The Impact of COVID-19 on the California Consumer Privacy Act"; April 7, 2020; Seyfarth; seyfarth.com/news-insights/the-impact-of-covid-19-on-the-california-consumer-privacy-act-2.html
Heather Somerville Gonzalez
VP, Global Communications and Strategic Alliances