If you’ve been postponing to see how CCPA may affect your business, the time for waiting has passed.
Ensuring the safety and integrity of personal data is the impetus behind a string of recent legislation that places the responsibility of safeguarding personal information on the entities that own the data. The California Consumer Privacy Act (CCPA) is just one of many new privacy and data protection laws taking effect in the US, EU and across the world. While the European Union’s General Data Protection Regulation (GDPR) has captured considerable attention with stiff fines levelled on the likes of Facebook, Google, British Telecommunications, Equifax, and others, lawmakers in the U.S. have also made moves to hold organizations accountable for how they safeguard the privacy of consumers, employees, shareholders, and the general public.
If you’ve been postponing to see how the California Consumer Protection Act may affect your business, the time for waiting has passed. Signed into law in June of 2018, and amended the following September, CCPA is effective as of January 1, 2020, and provides the most sweeping, comprehensive and empowering consumer privacy rights in the country.
Technological innovation and concerns about privacy in an age of data breaches, social media, and surveillance have consumers understandably concerned about the degree to which companies are willing and able protect the integrity of their personal data. Implementations of AI, Blockchain, Robotic Process Automation, Internet of Things etc., are bringing about new and different uses of personal data and privacy concerns. Data breaches and hacks have led to adverse media attention, business disruption, and erosion of customer trust. From the consumer’s perspective, CCPA is intended to allow California residents to know what personal data is collected about them and to be able to control its dissemination. This includes names and aliases, physical and email addresses and telephone numbers, account or policy numbers, social security numbers, driver’s license numbers, passport number and a host of other financial and medical data identified with a customer or member of their household.
The act sets requirements that regulate and attempt to limit the sale of consumer personal information (PI). These restrictions apply to “for profit” businesses who:
- Have annual revenues in excess of $25 million
- Make 50% annual revenues from sale of personal information
- Buy, sell, or share PI of > 50,000 CA residents or their devices
Not only does the law allow residents to know what data has been collected about them, it also allows them to know if their personal information has been sold or shared, and with whom. In addition to being able to access their information, the law allows consumers to deny the sale of their personal data and stipulates that all customers be treated fairly and equally when exercising their right to privacy. Companies can’t charge more, deny access to service, or reduce the quality of service for customers choosing to exercise their rights under the Act.
The costs of non-compliance are severe. The Act requires businesses to implement reasonable security measures to protect consumer data, and imposes damages for both intentional and unintentional violations, including data theft or other security breaches. Penalties are applied per resident, per incident and could be $7,500 per intentional violation or $2,500 per unintentional violation. Negative coverage in the media may also impact current or potential impression of the organization. Incidents and/or breaches of personal information may result in lawsuits and other additional legal proceedings.
In practice, the Act has implications that reach beyond the borders of California. Companies doing business in the state will no doubt incur significant costs in order to update business practices and methodologies (including websites and internet presence) in order to achieve accordance with the new law. Moreover, companies will have to anticipate an overwhelming swarm of costly consumer-driven litigation, both legitimate and frivolous.
Identifying customer personal data across your organization to comply with CCPA is not a quick process. Knowing how and where to begin is a challenge. While specifics may vary from company to company, steps to consider include:
- Identify ordinary business operations and data requirements
- Understand key systems, current policies and procedures, and data control issues
- Interview key stakeholders
- Understand processes to document data flow
- Prepare data life cycle maps, if necessary
- Create initial data catalogs and preliminary data sensitivity charts
- Understand Mobile Device management
- Scan the network for PI
- Perform walk throughs at every stage of the data lifecycle
The good news is that you don’t need to recreate the wheel. Companies with expertise and experience in data discovery and governance are out there. If you’d like to learn more about how to locate sensitive information in your organization or other strategies for effective data governance, contact Sherpa Software today. We offer a range of solutions to identify personal data across your enterprise – in email, file shares and beyond – with the capability to move, copy, quarantine or delete it.