What is the CCPA and Why Does it Matter?

In order to understand The California Consumer Privacy Act (CCPA), you first need to understand the proverbial straw that broke the camel’s back. While GDPR sparked many U.S. states to begin proposing their own data protection laws, it wasn’t until the Cambridge Analytica/Facebook scandal broke that the (U.S.) public outcry over data privacy reached critical mass.

Cambridge Analytica, a political analysis firm that claims to build psychological profiles of voters, is accused of buying nearly 90 million Americans' data that was collected without their consent from a researcher who told Facebook he was collecting it strictly for academic purposes. The outrage, though, originates from the fact that the researcher, after collecting this ungodly amount of personal data, sold it to Cambridge Analytica, which is against Facebook’s rules. Cambridge Analytica issued a number of press releases in the days following the explosive media reports, vehemently denying that they acted improperly with the data (i.e. they used it to help their political clientele further their campaigns--shocker).

Following this scandal, the Federal Trade Commission (FTC) launched an investigation that focused largely on the controls an organization must have on how its data is shared with and used by third parties -- in other words, the probable infancy of GDPR in the States. Taking a cue from the FTC, in June of 2018, California, ever the echelon of change among states unanimously passed The California Consumer Privacy Act.

CCPA applies to businesses that fall under any one of the below categories:

• Have annual revenue in excess of $25 million
• Buy, receive, sell, or share personal information on 50,000 or more CA households or devices
• Derive more than half of their annual revenue from selling consumer personal information

Although the CCPA does not go into effect until January 1, 2020, there are critical considerations to start thinking about now For example, one of the most important compliance factors companies need to be aware of is that they must be able to provide data usage records for the previous 12 months--beginning on January 1, 2020; meaning if an organization didn’t start tracking personal data usage at the beginning of this year, they could potentially be facing hefty fines or even lawsuits. To provide context, on the first day that GDPR took effect, Facebook and Google alone were hit with nearly $9 billion in lawsuits. I would expect the same aggressive litigation to start on the first day of CCPA. CCPA has six main components and covers both traditional PII (personal identification information) --name, social security number, email address, etc.--as well as non-traditional items such as biometric data, IP address, internet browsing or search history, geolocation data, audio, electronic, visual, olfactory, or similar information.

If a business hasn’t already started prepping, quite honestly, they’ll be working against the proverbial clock. Any company that does business with California residents should be ready to respond to the look back requirement and the new rights given to consumers and therefore should understand where all the personal information about their customers lives and where and how it flows with their organization. With GhostVolt Business, your organization can view the complete history of all files (including deleted ones) and the audit history of files, folders, and users. GhostVolt also includes a reporting module, allowing you to generate crisp reports on activity with ease.

Likewise, those businesses that need to comply with CCPA should also consider the following to updates to their compliance policies:

• Update website privacy policy to meet new data disclosure, consent, and opt-out requirements
• Ensure employee privacy policy notice complies with CCPA requirements
• Implement incident response plans that enable the organization to respond effectively in the event of a data breach
• Execute master service agreements with restrictions for data use by required service providers

Given the active legislative changes at both the state and federal level, data privacy risks should be one of the top risks managed by enterprises as part of a thorough risk management framework. Data encryption is an important component of that risk management framework. If data is stolen while protected by a secure encryption algorithm, it’s impossible for an attacker to read it without access to the encryption key.

As with all new legislation, the CCPA is a work in progress, and without a doubt it will be amended and revised going forward. Of course the federal law and additional state regulations are sure to follow. One very clear trend is evident: We’re now living in an era of data and web- based regulations and companies need to not just understand the regulatory environment, they now have to deploy solutions that will protect them from liabilities that working with consumer data entails. As the legal circumstances evolve in the coming months and years, the foundational work of building an information and data access control program will prepare your business to meet these emergent challenges.