Stiff penalties await companies that fail to protect consumer data
2018 may go down in history as the year of data privacy. A mere month after the European Union’s General Data Protection Regulation (GDPR) became enforceable in May – transforming the way commerce is managed worldwide – California followed suit with the Consumer Privacy Act (CCPA).
The CCPA’s sweeping privacy requirements are groundbreaking in the United States and not surprising from California, the center of the U.S. tech industry and traditionally the pacesetter for tech law. With a compliance deadline of January 2020, the clock is ticking for companies to understand how CCPA requirements impact the way they do business moving forward.
While the GDPR and CCPA have some similarities, their approaches differ: the CCPA focuses on consumer privacy rights while the GDPR takes a broader look at how businesses need to handle data security, management, and portability. Together, however, these laws establish the fundamental principles companies can expect from future privacy regulations.
But with less than a year before the CCPA takes effect, only 14 percent of companies are compliant – and a whopping 44 percent haven’t even started the implementation process, according to a Help Net Security report. Here’s what you need to know about getting ready for the CCPA:
What is the CCPA?
California’s data privacy law is a direct response to the Cambridge Analytica scandal of 2018, where a British political consulting firm harvested personal data from millions of Facebook profiles without consent and used it for political purposes.
In today’s digital world, it’s well-known that businesses are stockpiling personal information, from your current location to how many children you have to your web browsing history. That data is used for an array of purposes, including targeted ads, sale to interested parties, and even to discriminate against certain consumers based on price or service level.
These practices – combined with the devastating effects people often suffer after companies that store their information are hit by a data breach – are creating a hyper-focus in consumer and legislative circles on digital footprints and confidentiality.
Similar to the GDPR, the CCPA attempts to end privacy abuses by providing certain privacy rights to consumers and taking a tough stance on how businesses within scope must be transparent about how they collect, use, and disclose personal information.
The new law expands the traditional definition of personal information, adding, for instance, IP addresses and cookies associated with individuals. It allows companies to pay consumers for the sale of their data and it requires businesses to add an “opt-out” link to their websites so people can decline data sharing to third parties.
It also permits a private right of action in the case of data breaches under certain circumstances and enables the California Attorney General to impose penalties of up to $7,500 per violation if it’s determined that a breach occurred because a company intentionally failed to put proper cybersecurity measures in place.
Here are the CCPA’s main objectives:
- Consumers are given the right to know what information large corporations are collecting about them, as well as why it’s being collected, where the information came from, how it’s being used, whether it’s being sold or disclosed, and who’s buying it.
- Consumers have the right to tell businesses not to share or sell their personal information. The law also borrows the GDPR’s concept of the right to be forgotten: consumers can ask companies to delete their data unless the business needs to retain it for legitimate business purposes.
- Information may only be used for a company’s operational purposes and it may not be used to provide unequal service or pricing to consumers.
- For the first time, the CCPA threatens hefty penalties against companies that collect sensitive personal information from California consumers and don’t take proper steps to keep it safe.
If my business isn’t located in California, does it need to comply?
Like the GDPR, companies don’t need to have a physical presence in California to fall under the umbrella of the new law. Instead, any organization that conducts business with California residents and exceeds one of these three thresholds must comply:
- Boasts annual gross revenue greater than $25 million
- Receives 50 percent or more of its annual revenue from selling consumers’ personal data
- Buys receive, sells, or shares the personal information of 50,000 or more consumers, households, and/or devices every year
If my business is compliant with the GDPR, is it also compliant with the CCPA?
No, but you’re ahead of the game. There are similarities between the two laws and compliance with the GDPR creates an easier to the path to meeting CCPA requirements.
What will the compliance cost?
Help Net Security reports that 71 percent of companies expect to spend more than six figures on CCPA compliance, and 1 in 5 expect to spend more than $1 million. Companies that did not take steps to meet the mandates of the GDPR are likely to experience the greatest costs, with nearly 80 percent saying they anticipate spending more than six figures to comply.
What immediate steps should my business consider?
- Inventory and map in-scope personal data, as well as instances where data is sold.
- Reassess reasons for processing data, and ensure that storage and processing activities align with the law.
- Put processes in place that can quickly provide access to and delete data requested by consumers. Be sure to log these inquiries and track any actions taken in an easy-to-recall repository.
- Update privacy policies and notifications to meet the mandates of the CCPA. To avoid confusion, consider creating separate policies for citizens of California and the European Union.
- Proactively disclose if personal data is sold, including exchanges that are for something of value other than money.
- Create protocols that enable consumers to opt-out of data selling and ensure that consumers are not asked to change this selection for 12 months.
- Pay careful attention to data belonging to minors. Parents must consent to the sale of data for children younger than 13 years old, and their consent must be tracked by your business. Children ages 13 to 16 years old can opt-in themselves, but it’s essential to develop an age verification system before collecting any data to avoid issues with non-compliance.
- Update contracts with third-party data processors to comply with CCPA requirements. You should know the entire lifecycle of any data you collect, process, and use to ensure compliance. You also need to make sure third-party data processors you rely on are also compliant with the law.
- Remediate information security gaps and vulnerabilities. The CCPA requires companies to take “reasonable” security measures to protect sensitive information. Implementing bare-minimum measures is unlikely to offer much protection against the increasingly sophisticated cyber-attacks that bombard American companies, leaving yours open to accusations of non-compliance. By leveraging advanced data loss protection technology, strong insider threat mitigation practices, and other cutting-edge protections, you can spot and stop threats before they become a full-blown breach.
What are the penalties for non-compliance?
Like the GDPR, unprotected data comes at a cost under the CCPA. The law details penalties that may be applied when companies expose private information or otherwise fail to meet their privacy and security obligations. With a few exceptions, these penalties can only be enforced by the California Attorney General.
A consumer can sue for up to $750 without demonstrating they were harmed by a data breach, but awards significantly rise if they can prove material harm. The CCPA carries potential fines of $2,500 per violation, and that increases to $7,500 if the violation is deemed intentional.
The law does, however, give companies the opportunity to avoid fines by addressing non-compliance issues within 30 days of notification.
The bottom line
Privacy laws are changing across the globe, and businesses need to pay close attention to avoid hefty fines and maintain consumer trust. Protecting sensitive data is a leading concern for any company that must meet the mandates of the CCPA. A cutting-edge cybersecurity provider can help your organization implement robust measures that keep your customers’ sensitive information protected against cybercrime.
CyberGuard360 is trailblazing a new software category with CyberGlass, the first and only cybersecurity product on the market to combine all the elements of a complete cybersecurity program in a single interface. To learn more about its full suite of features, including behavior analytics, next-generation endpoint protections, and scripted and automated response through a machine learning engine, call us at 844-315-9882 or use our contact form for a free consultation.