Here Comes CCPA
Ready Or Not, Here It Comes!
As of publication, there are 147 days left until CCPA and SB-327 come into effect. If you are not familiar with these two acronyms, you’ll want to listen up. With these two new regulations, the State of California is about to surpass the European Union for the strictest cybersecurity and consumer protection regulations in the world -- including massive potential fines for organizations that fail to secure the personal data of their customers.
the State of California is about to surpass the European Union for the strictest cybersecurity and consumer protection regulations in the world
CCPA: California Consumer Privacy Act
Following in the footsteps of The European General Data Protection Regulation (GDPR) which went into effect on May 25, 2018, CCPA is America’s first — and most aggressive — state data privacy law designed to hold organizations responsible for protecting personal information and private data of California residents doing business with that organization.
“A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
3 Key Components Of CCPA
- Gives Consumers Ownership: Protects a consumer's right to tell a business not to share or sell their personal information.
Under this section of the regulation, a consumer has the right to know what personal information is being gathered by an organization about themself, their devices and their children — and gives a consumer the right to say NO to the collection and storage of that data. If a business collects a consumer’s personal information, once a year and free of charge they have to disclose what information has been collected. If a business sells a consumer’s personal information, they have to tell the consumer what categories of personal information they are selling and to whom they sold the information.
- Gives Consumers Control: Lets consumers gain control over the personal information that is collected about them.
- Gives Consumers Recourse: Hold businesses responsible for safeguarding consumers personal information.
This is where CCPA gets serious — increasing fines and penalties for violations to finally have the teeth needed to make it really hurt businesses that don’t take data security seriously. Intentional violations of CCPA can bring civil penalties of up to $7,500 for each violation and up to $2,500 for other violations. While further clarification is still needed on how fines will be doled out, if a violation is assessed for each consumer whose personal data is impacted by a data breach, the fines for a massive data breach could easily reach billions of dollars because there is no cap on the fines levied.
Most Small Business Are Exempt
CCPA applies to any for-profit entity that collects consumers’ personal data, does business in the state of California and satisfies one of the following thresholds: 1) has annual gross revenues in excess of $25 million; 2) possesses the personal information of over 50,000 or more consumers, households or devices; or 3) earns more than half of its annual revenue from selling consumers’ personal information.
SB-327: Information privacy for connected devices
“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
As we previously wrote, California’s new IoT device regulation — which also goes into effect on January 1, 2020 — requires the manufacturer of any device with an IP or Bluetooth address to put “reasonable” new security measures in place to protect the device and any information contained on that device. While this is a good first step, there is a lot of room for interpretation of what is considered “reasonable,” and there are no specified penalties for lack of compliance at this time. However, in conjunction with CCPA, manufacturers should take note of the potential impact on their organizations for any missteps if they plan to continue doing business with California residents.
How Should You Prepare for January 1, 2020?
Unlike with the GDPR deadline, you are unlikely to receive a slew of updated privacy policies hitting your inbox on December 31st. But, as a consumer, you SHOULD notice the emergence of new “opt out” boxes on websites asking to collect or store any of your personal information.
From a business perspective, the key to success is 1) know your data and 2) secure your data. Understanding where sensitive data resides and how it is accessed across all of your systems, devices and applications is critical. If you didn’t conduct a thorough data audit in preparation for the GDPR, now is the time to start.
Once your data audit is complete, look to see how sensitive data is being accessed. Organizations typically start at the database and add layers of protection from the data center out. Don’t forget to look from the outside in! In today’s world, applications are often the first interaction between a consumer and a business —whether it is an app on a mobile device or a web app inside a browser — apps are everywhere and they are a primary collection point for a consumer’s personal information.
Take a look at your apps. Understand what information is used or collected inside the app. See how the app interacts with your backend infrastructure. Does it use APIs? User credentials or tokens to access back office systems? How is the app secured? How is the data secured at rest and in transit?
Data privacy is about to get serious. Are you ready?