There’s no question that 2020 will be another busy year for enterprises, and to kick it off, on January 1 thousands of businesses will be impacted by the California Consumer Privacy Act (CCPA), the most comprehensive U.S. data privacy law to date. While some organizations overhauled and up leveled their data governance to comply with GDPR, some businesses pushed off global compliance by sandboxing their European data to fit the GDPR compliance standards. While such band-aid fixes may have seemed like a good idea at the time, the introduction of CCPA leaves far fewer options outside of full compliance.
Now, as the countdown to January continues, and presidential candidates shine a national spotlight on the topic, it’s up to executive teams to ensure their companies are in compliance and prepared for what’s coming on the data privacy horizon.
How CCPA differs from GDPR
CCPA is commonly referred to as California's version of General Data Protection Regulation (GDPR), and while there are some similarities -- such as individual rights to request, access, and delete personal information -- CCPA and GDPR vary in many important details.
- For starters, GDPR applies to all European data but is a minimum requirement. Individual countries in the EU have their own laws that are often more restrictive. Alternatively, CCPA is applicable to California data only and excludes any data that is already covered by a federal law, such as HIPAA or GLBA.
- While GDPR protects personal information (PI) that could potentially identify a specific individual -- including name, address, telephone number and Social Security number (SSN) -- CCPA goes beyond to include product purchase history, social media activity, IP addresses, and household information.
- Under CCPA, companies are required to include a single, clear and conspicuous "Do Not Sell My Personal Information" link on homepages. Alternatively, GDPR offers various opt-out rights, each of which requires individual action.
- Under GDPR, administrative fines can reach 20 million euros or 4% of annual global revenue, whichever is greatest. For CCPA, the California Attorney General can fine companies $2,500 per violation or up to $7,500 for each intentional violation. Note that every individual affected by a violation is counted as a violation, so an intentional breach of 100,000 people’s data could bring a total fine of $750M, plus damages of $1M to $7.5M to the victims. Businesses are granted a 30-day cure period for most violations, but CCPA and GDPR both provide for a private right of action in case of certain data breaches (i.e., an individual can sue the company directly).
How to prepare
CCPA is only the beginning of data privacy regulations in the U.S. To prepare, here are few ways to ensure your organization is properly handling consumer data.
1. Audit how your company manages data
Determine how personal information – including categories outlined in the new definition – is collected, processed and stored. As data becomes more decentralized across mobile devices and apps, businesses need an information governance framework that establishes clear and structured policies for responsible data management.
Schedule routine check-ins. Data mapping is not a one-time practice and should be part of daily vendor management and data audit practices. And always have appropriate documentation and audit records in case questions arise.
2. Cross-functional collaboration is key
Constant monitoring of processes, data inventories, and vendors dealing with data requires a lot of work and often occurs across a variety of teams, meaning it requires support from technical teams, lawyers, and management. Additionally, given how CCPA expanded the definition of PI and states companies must identify all recipients (shared and sold) of collected PI, lead generation and other marketing practices must also be re-examined that may not have been previously reviewed.
It is easy to put appropriate policies and processes in place – the challenge is enforcement. A highly functional team makes it that much easier to stay in compliance and rapidly respond to requests.
3. Ensure technology is up to snuff
When there is an inquiry or request made regarding PI, an intuitive, comprehensive data management system can be critical to locating and eliminating data efficiently. And it should go without saying, but a strong security posture, including strengthening your network edge, hardening systems against potential intrusion and employing encryption technologies, is critical to deterring malicious actors.
As January quickly approaches, every company should be taking time to review its data policies. The continuous news cycles around high-profile breaches, and a major election cycle will keep the discussion top of mind for millions of Americans. If your company has been putting off an overhaul of its approach to data management, now is the time to get serious. A little extra prep, and the right tools will save you and your organization a lot of long nights, and potentially millions of dollars, in the future.
Jung-Kyu McCann brings more than 20 years of legal expertise to Druva, having represented public and private companies of all sizes. She joined Druva from Broadcom, where she served as Associate General Counsel, focusing on corporate matters and strategic transactions. Prior to Broadcom, she worked at Apple where she strengthened the company’s corporate governance framework and raised more than $100 billion in the global bond markets. She started her legal career at Shearman & Sterling and holds a leadership position at the Society for Corporate Governance. In 2017, she was recognized with the Rising Star award at the Corporate Governance Awards.