We have seen the California Consumer Privacy Act (CCPA) enter the enforcement phase on 1st July, despite lobbying from some business groups to delay it, with many stating that owing to the impact of Covid-19, they wouldn’t be able to dedicate the manpower, resources and time to CCPA in order to prepare for it.
The implementation means that California’s Attorney General (AG) will be able to take direct action against businesses that violate the privacy protection requirements of the CCPA. The law has been in effect since 1st January 2020, but until now enforcement was limited to civil actions brought by consumers against violators.
Over the last few months, the AG’s office has been busy finalizing how to assess penalties, how to define a breach and how to justify the size of a fine levied for violating the CCPA. Already, the extent to which businesses are concerned about meeting these new regulations is evidenced by the calls to delay the start of enforcement. However, California’s Attorney General Xavier Becerra was unmoved on the timing, stating that enforcement of the regulation would commence as planned and saying: "We encourage businesses to be particularly mindful of data security in this time of emergency."
For those less familiar, the CCPA is a state-wide data privacy law that regulates how businesses all over the world can handle the personal information (PI) of California residents. It is the US (Californian) counterpart of the European General Data Protection Regulation (GDPR) which came into force in May 2018. However, the difference between GDPR and CCPA is that the CCPA's definition is extra-personal, meaning that it includes data that is not specific to an individual, but is categorized as household data, whereas the GDPR remains exclusively individual.
Taking the eye of the ball
Not long ago organizations operated closed systems, with most data processing taking place in their own environment and the ability to communicate directly with the outside world limited to email and telephone. The data protection laws in place then were benign, with only repeat or very serious offenders receiving a fine. The data protection landscape and its associated compliance environment changed fundamentally with the implementation of the GDPR, with many other privacy regulations following suit around the globe. California is the first US state to address the issue, however, Singapore, India and many other large economies have already published GDPR equivalents each with their own local flavor.
Now that CCPA is in force, it will be interesting to see what size of fines and types of action will be issued. It was about a year after the launch of GDPR, that the first fines were issued by the ICO and they left no one in any doubt that this regulation has teeth. Record financial penalties for organizations such as Google, Facebook, Marriott and British Airways were a salutary lesson to businesses across the board that they cannot afford to fail against these regulations. Increasing public awareness of privacy rights means the damage is not just financial, but reputational too, a factor that is infinitely more difficult to measure, but can be catastrophic and long-lasting.
The tone from the various regulatory bodies’ communications around Covid-19 indicates that businesses cannot afford to take their eye off the data protection ball, even during these challenging times and California having gone ahead of the other states is clearly serious about data protection.
When it comes to privacy, most countries have aligned to the standard of GDPR with some appropriate domestic legislation incorporated, such as I’ve indicated above with regard to CCPA. Therefore, I would say that if organizations work to incorporate GDPR requirements - including the mandate to ensure data protection by design and default - into their compliance regime, they won’t go far wrong.
Sensibly adopting a better data protection posture
So how do you comply and get some value for your organization? While compliance with data protection regulations is non-negotiable and the penalties for failure are severe, it is a mistake to see compliance solely as an inevitable burden. With an intelligent and proactive approach, organizations can pivot from viewing compliance only as an expense and turn it into a positive competitive differentiator and one that, over the long term, will deliver efficiencies and cost reductions.
With this in mind, what steps should organizations take to sensibly adopt a better data protection posture and with it, build a firm foundation towards onward compliance? This is where data classification is a robust and critical first step in any compliance and data protection strategy. Data classification is defined as a tool for the categorization of data to enable organizations to effectively answer questions around what data types are available and where and how certain data is located, shared, and used.
Here at Boldon James we have been helping organizations for over 35 years put in place the right data classification and secure messaging, to meet their compliance objectives. Therefore, as CCPA is now in force, I thought it would be helpful to share a few pointers to home in on when looking at data classification and your compliance strategy:
IT security and operations do not own business data – so do not look to the CISO for all the answers, his job is to help you, not do your job.
Identify and engage stakeholders right across the business, including risk, legal, and compliance. This is critical to the success of your compliance program.
Data stewardship will correctly align to regulations only when the data owners are identified and engaged.
Organizations must educate users about the sensitivity of data and ensure the appropriate controls are in place around confidential and sensitive information.
Adam Strange, Global Marketing Director, Boldon James