With the EU's General Data Protection Regulation (GDPR) comes an unprecedented paradigm shift in data privacy regulation. The new California Consumer Privacy Act of 2018 (CCPA) is another sweeping data-privacy mandate that’s set to further tighten up accountability with consumer data. It’s time to buckle up because it pays to stay compliant.
A flurry of data breach incidents has given rise to serious concerns about the way consumer data is handled. 2017 was dubbed “the year of the data breach,” but 2018 hasn’t come with any glimmer of hope, for attacks from ransomware and other sophisticated malware keep striking businesses and consumers alike.
High-profile incidents disclosed at Target (2013) and Equifax (2017) explain the magnitude of such breaches, which saw countless records of sensitive data -- including personal and financial information -- exposed. This led many to believe that cyber breaches have become the norm across the world, particularly in the United States.
GDPR came as a highly acclaimed global regulatory wake-up call to address this situation. Although the law was enacted to protect all citizens of the European Union, its resulting impact has reached far beyond the EU. It's not that we didn't have enough regulatory compliance measures available, but what has essentially changed with the GDPR is a shift in government priorities and its willingness to legislate to protect individual privacy.
The CCPA, which is slated to take effect July 1, 2020, is proof of GDPR's influence.
This Sea-Change Augurs Well For The New Reality
The digital economy is lucrative yet highly vulnerable. Cybercriminals are relentlessly hunting for vulnerabilities and security gaps and can target sensitive consumer data anytime. By promoting greater emphasis on adherence, security and accountability, California’s new data-privacy regime is influencing fresh thinking in safeguarding consumer data.
Companies now sense greater accountability to protect personally identifiable information (PII). They fear inviting back-breaking, punitive measures if a violation or negligence is found. For example, the CCPA promises to hand out "fines of up to $7,500 per record for violations that aren’t resolved within 30 days" and to possibly, "expose companies to class action lawsuits and the risk of being sued by individuals when guidelines are violated, even when there’s no actual breach."
Rewarding For Businesses And Consumers Alike
The CCPA has a broader definition of personal data than GDPR. However, efforts made to comply with GDPR will prove useful in understanding and meeting regulatory mandates with this new law. Consumers stand to benefit as their concerns will be alleviated with a stricter law, and they will have more power to exercise their rights to access and choice (opting out from consent to share data).
Similarly, businesses will have the opportunity to thoroughly reassess their data collection practices, spot gaps or weaknesses and address them.
For every business that is preparing for this new data privacy shakeup, it makes sense to further realize that merely hoarding more and more data, without a clear use or data privacy and security plan, can have its own risks. Rationalizing the amount of data a business collects can not only reduce potential exposure but also reduce the associated costs in regard to processing, network traffic and storage. Once you have a clear picture of what actually produces value and where it is collected and stored, you can strategize about how you can manage, process and protect data more effectively.
Whom Does The CCPA Apply To?
The CCPA applies to any for-profit business that falls into one of the following categories:
• If annual gross revenue exceeds $25 million.
• If the business processes personal information (PII) of 50,000 or more California residents, households or devices every year.
• If the business derives at least 50% of gross revenue by selling personal information.
Reimagine Your Approach And Up The Ante In Consumer Data Protection
The new era of privacy regulations is upon us, and it demands an approach that enables data protection by design and by default. Instead of feeling overwhelmed, take a deep breath, thoroughly analyze your readiness, identify sensitive data, weed out incompatible practices and implement encryption and similar security measures to enforce highly monitored usage and access.
Remember that this is about establishing compliant processes and systems so that your business can securely manage data and, more importantly, provide access to data, delete data when required and share specific information on the sharing or sale of any personal information.
It is also important to address the weakest link in the chain in managing and securing sensitive data -- users themselves. Ensure you train any employees who might be responsible for data and also extend training to third parties and partners to ensure they follow best practices.
This will not only bode well for your consumers but, more importantly, it will help you curtail potential financial risk and unwarranted disruption that might arise from further data privacy norms.
