It is safe to say that 2020 has not progressed as planned for nearly everyone. However, some things have proceeded as scheduled. As of July 1, 2020, the California Consumer Privacy Act (CCPA) is officially in place.
No doubt, you have seen the news articles and alerts about this new regulation. Some minor details still need to be pushed through, most notably the approval of the final regulation by the Office of Administrative Law (OAL). While this has caused some confusion, based on a June 2 press release, the California attorney general is committed to enforcing the CCPA if violations are not resolved within 30 days after AG-provided notice of alleged non-compliance.
Let’s dissect the reasons this is a significant regulation and provide an overview of key steps that organizations should be taking before enforcement begins.
Personally Identifiable Information Protection (PII)
The fact is that most organizations are terrible at protecting PII. This has become exacerbated when you look at how technology has exponentially increased data touchpoints (where, when and how quickly) and the types of data an organization can collect. PII is valuable and has become raw material in the manufacturing of evolving digital services. There is an individual benefit to this, the omnichannel experiences – being able to find quickly the things you want to – but there is a dark side as well.
In a previous blog post, I referenced Soshana Zuboff’s book The Age of Surveillance Capitalism, in which she highlights that “We are now able to impede on individuals’ decision rights through extraction of the human experience for profit and influence.”
You’ve likely experienced this phenomenon many times with the curious timing of a placed ad or a sudden email related to something you had recently researched (toasters anyone?). Being an election year, you might recall events like the Facebook contagion experiment or the Cambridge Analytica scandal. Additionally, from a cybersecurity perspective, personal information related to particular life circumstances can be used against you to maximize the effectiveness of social engineering.
Complacency isn’t a strategy – there are fines.
When it comes to the protection of PII, I don’t think organizations are complacent about it. In fact, many are striving to establish sustainable risk management and data protection programs that can adjust to ever-emerging privacy regulations.
However, as part of the risk management aspect, we must consider that fines could be simply seen as “the cost of doing business,” as opposed to a real penalty that drives behavior. This is where CCPA is changing the playing field for organizations that “do business” in California, similar to how the European General Data Protection Regulation (GDPR) changed it in the EU.
Significantly increasing the potential penalties for non-compliance and deploying the resources to evaluate and enforce those penalties – is a gamechanger. A civil penalty under the CCPA may result in up to a $2,500 fine for each violation and up to a $7,500 fine “for each intentional violation.”
These penalties can also accumulate quickly. For example, if a CCPA violation involves 100 consumers, the civil penalty could be up to $250,000 or up to $750,000 for intentional violations. Add to this that existing cyber insurance policies may not cover some exposures under the CCPA and these potential penalties begin to shift the risk/reward balance.
So what key steps should organizations be taking before enforcement begins?
- Ensure public-facing privacy policies are up to date and account for CCPA.
- Catalog your data collection processes and ensure that consumers can be appropriately informed of the categories of personal information to be collected and the purposes for which the types of personal information shall be used, at or before the point of collection.
- Develop and maintain process flows and data maps for data collection and data processing activities.
- If your organization sells personal information, ensure a “Do Not Sell My Personal Information” link is on your websites. If your company does not sell personal information, make sure this is clearly stated in the privacy policy.
- Maintain procedures to track and respond to requests for information. Unless an organization operates exclusively online, there must be at least two methods provided (e.g., a toll-free number and email address or online form).
- Provide appropriate training to individuals responsible for handling customer inquiries and ensure they know how to respond to information requests.
- Additionally, procedures must include a reasonable method to verify that the person providing the PII is that actual person.
- Evaluate service provider agreements to ensure that agreements enable compliance with CCPA.
Privacy regulation is continuing to evolve globally. The good news is that the various regulations taking effect are more alike than they are different. The CCPA is well-positioned to force a change in behaviors in the U.S. and just might be the impetus that enables organizations to build a holistic privacy management program.
John Clark is executive director in the Office of the CISO at Optiv Security. Read more Optiv Security blogs here.