There's No Opting Out of the California Consumer Privacy Act - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Data Management
Commentary
12/11/2019
07:00 AM
Jung-Kyu McCann, General Counsel, Druva
Jung-Kyu McCann, General Counsel, Druva
Commentary
100%
0%

There’s No Opting Out of the California Consumer Privacy Act

As the countdown to January continues, it's up to executive teams to ensure their companies are complying and preparing for what's coming.

Image: Pixabay
Image: Pixabay

There’s no question that 2020 will be another busy year for enterprises, and to kick it off, on January 1 thousands of businesses will be impacted by the California Consumer Privacy Act (CCPA), the most comprehensive U.S. data privacy law to date. While some organizations overhauled and up leveled their data governance to comply with GDPR, some businesses pushed off global compliance by sandboxing their European data to fit the GDPR compliance standards. While such band-aid fixes may have seemed like a good idea at the time, the introduction of CCPA leaves far fewer options outside of full compliance.

Now, as the countdown to January continues, and presidential candidates shine a national spotlight on the topic, it’s up to executive teams to ensure their companies are in compliance and prepared for what’s coming on the data privacy horizon.

How CCPA differs from GDPR

CCPA is commonly referred to as California's version of General Data Protection Regulation (GDPR), and while there are some similarities -- such as individual rights to request, access, and delete personal information -- CCPA and GDPR vary in many important details. 

  • For starters, GDPR applies to all European data but is a minimum requirement. Individual countries in the EU have their own laws that are often more restrictive. Alternatively, CCPA is applicable to California data only and excludes any data that is already covered by a federal law, such as HIPAA or GLBA.
  • While GDPR protects personal information (PI) that could potentially identify a specific individual -- including name, address, telephone number and Social Security number (SSN) -- CCPA goes beyond to include product purchase history, social media activity, IP addresses, and household information. 
  • Under CCPA, companies are required to include a single, clear and conspicuous "Do Not Sell My Personal Information" link on homepages. Alternatively, GDPR offers various opt-out rights, each of which requires individual action.  
  • Under GDPR, administrative fines can reach 20 million euros or 4% of annual global revenue, whichever is greatest. For CCPA, the California Attorney General can fine companies $2,500 per violation or up to $7,500 for each intentional violation. Note that every individual affected by a violation is counted as a violation, so an intentional breach of 100,000 people’s data could bring a total fine of $750M, plus damages of $1M to $7.5M to the victims. Businesses are granted a 30-day cure period for most violations, but CCPA and GDPR both provide for a private right of action in case of certain data breaches (i.e., an individual can sue the company directly). 

How to prepare

CCPA is only the beginning of data privacy regulations in the U.S. To prepare, here are few ways to ensure your organization is properly handling consumer data.

1. Audit how your company manages data

Determine how personal information – including categories outlined in the new definition – is collected, processed and stored. As data becomes more decentralized across mobile devices and apps, businesses need an information governance framework that establishes clear and structured policies for responsible data management. 

Schedule routine check-ins. Data mapping is not a one-time practice and should be part of daily vendor management and data audit practices. And always have appropriate documentation and audit records in case questions arise. 

2. Cross-functional collaboration is key

Constant monitoring of processes, data inventories, and vendors dealing with data requires a lot of work and often occurs across a variety of teams, meaning it requires support from technical teams, lawyers, and management. Additionally, given how CCPA expanded the definition of PI and states companies must identify all recipients (shared and sold) of collected PI, lead generation and other marketing practices must also be re-examined that may not have been previously reviewed. 

It is easy to put appropriate policies and processes in place – the challenge is enforcement. A highly functional team makes it that much easier to stay in compliance and rapidly respond to requests. 

3. Ensure technology is up to snuff

When there is an inquiry or request made regarding PI, an intuitive, comprehensive data management system can be critical to locating and eliminating data efficiently. And it should go without saying, but a strong security posture, including strengthening your network edge, hardening systems against potential intrusion and employing encryption technologies, is critical to deterring malicious actors. 

As January quickly approaches, every company should be taking time to review its data policies. The continuous news cycles around high-profile breaches, and a major election cycle will keep the discussion top of mind for millions of Americans. If your company has been putting off an overhaul of its approach to data management, now is the time to get serious. A little extra prep, and the right tools will save you and your organization a lot of long nights, and potentially millions of dollars, in the future.  


Jung-Kyu McCann brings more than 20 years of legal expertise to Druva, having represented public and private companies of all sizes. She joined Druva from Broadcom, where she served as Associate General Counsel, focusing on corporate matters and strategic transactions. Prior to Broadcom, she worked at Apple where she strengthened the company’s corporate governance framework and raised more than $100 billion in the global bond markets. She started her legal career at Shearman & Sterling and holds a leadership position at the Society for Corporate Governance. In 2017, she was recognized with the Rising Star award at the Corporate Governance Awards.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Get Your Enterprise Ready for 5G
Mary E. Shacklett, Mary E. Shacklett,  1/14/2020
Commentary
Modern App Dev: An Enterprise Guide
Cathleen Gagne, Managing Editor, InformationWeek,  1/5/2020
Slideshows
9 Ways to Improve IT and Operational Efficiencies in 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/2/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll