Data Privacy Remains an Elusive Goal for Most Organizations

Almost all organizations claim data privacy is mission critical, but customers are skeptical. Only about a third of Americans believe companies are doing a good job of protecting customer data, according to a recent national poll.

Turns out, that may be an overly optimistic evaluation.

New research finds that just 11 percent of companies are fully compliant with data protection requirements mandated by the two-year-old California Consumer Privacy Act (CCPA). Additionally, the Cytrio study found that nearly half of the companies surveyed do not provide any mechanism for consumers to exercise their data rights under the legislation.

That’s not just a regional concern. Although the CCPA is state legislation, it has global reach. It applies to any business that collects data from California residents — regardless of where the business is physically located.

The act, which went into effect on Jan. 1, 2020, places significant limitations on the collection and use of a consumer’s personal information, and it gives consumers more control over how their personal information is used. The act gives California consumers the following rights:

• The right to know. Businesses are obligated to inform customers upfront that their personal information is being collected, what categories of information they are collecting and the purpose of the collection.
• The right to disclosure. Upon receipt of a verifiable request from a customer, businesses must disclose what personal information they have collected on them in the previous 12 months.
• The right to be forgotten. Businesses must delete customers’ personal data upon request, although there are some exceptions.
• The right to opt-out. Consumers can ask businesses not to sell their personal information to third parties.
• The right to equal services and prices. A business may not discriminate against consumers who exercise their rights under the CCPA by denying goods or services or charging a different price or rate for them.

Another piece of legislation, the California Privacy Rights Act (CPRA), will expand and modify key elements of the CCPA when it takes effect on Jan. 1, 2023. Among other features, it will impose data retention limits, broaden the definition of “sensitive data,” and impose new obligations for processing data.

Compliance failures can result in fines of up to $7,500 per violation, which can add up quickly when you consider that data breaches can involve tens of thousands of unique records. Beyond the fines, breaches can also result in civil lawsuits, damaged reputations and lost customers.

Given the consequences of a potential breach, organizations should take stronger measures to ensure the privacy of consumer data. At a minimum, organizations should:

• Ensure that all applications and operating systems are updated with the latest security patches
• Install and update virus protection software
• Provide regular security education for staff members, including training on how to identify phishing emails and suspicious web links
• Restrict users from downloading, installing and running unapproved software
• Maintain and regularly test backup systems and recovery plans

Improving data protection isn’t just about averting negative consequences, however. It can also create important business benefits by building trust and loyalty with customers, reducing sales delays, mitigating losses from data breaches, improving efficiency and innovation, achieving operational efficiency and enhancing data management practices.

Even though most organizations recognize the importance of data privacy, compliance efforts often get placed on the back burner due to limited in-house staff and expertise. Technologent’s rapid CCPA compliance service is designed for such companies. Our experts will assess your current privacy practices and make recommendations using our proven framework based on the Center for Internet Security’s top 20 critical security controls.

Contact us to learn more about data privacy best practices. Or, if you’d like to arrange an assessment of your data privacy controls, just fill out and submit this form on our website.