CCPA Enforcement Begins: Are You Ready?
The California Consumer Privacy Act (CCPA) became law six months ago, but enforcement has been delayed until today. If you haven’t yet started your CCPA remediation effort, you’ve got a lot of catching up to do.
California residents gained new data rights under CCPA, and companies are now subject to new requirements regarding that data. Residents of the state can demand to know what personal data companies are collecting about them, whether they’re selling that data, and to whom. Residents can demand access to that data, and even request that companies delete their personal data.
Companies that are subjected to CCPA (which are larger firms and those whose businesses are primarily data oriented) must respond to CCPA requests within 30 days, or be subject to fines. The maximum penalty allowable by the CCPA is $7,500, and consumers themselves are eligible to collect some of that money, in some cases exceeding $750 per incident.
The fines are designed to encourage compliance with CCPA. Starting today, Attorney General Xavier Becerra is empowered to begin fining companies that are not complying with the new law.
So who will Becerra go after first? Some legal experts say that the AG will primarily go after companies abusing the data of children first. Others say that he may target social media giants, most of which are based in the Silicon Valley.
Dan Clarke, the president at of tech services firm IntraEdge, says that Becerra will be quick to make examples of companies that don’t comply.
“The AG will focus efforts around the companies that are doing nothing to visually prove they are implementing a mechanism that allows consumers to exercise their privacy rights,” Clarke tells Datanami. “Businesses can start in their compliance efforts by at least doing the minimum and include a ‘Do Not Sell My Information’ link on their website (where applicable), opt-out of the sale of data, and have a method to intake requests from consumers. If a consumer can’t easily exercise their privacy rights, it’s much easier to enforce fines, including 30-day notices to cure.”
But just adding words and a link to your website is not going to cut it when it comes to CCPA and other similar regulations, such as the General Data Protection Regulation (GDPR), which went into effect in the European Union two years ago and ostensibly protects the digital rights of European residents.
Because data tend to be siloed, it can take considerable cost and effort to discover and “wipe” private data from all of the repositories that contain people’s personal data. Without a comprehensive data management strategy, companies can easily be overcome
Take Talend, for example. The French-American software vendor has the advantage of being in the business of developing data management and governance tools, including tools for a catalog, an inventory tool, tools for data stewards, and data prep and quality tools. So when GDPR went into law two years ago, the company was able to use its own software and steay ahead of the curve.
But that doesn’t mean regulatory compliance is easy. According to Talend’s Chief Information Security Officer, Anne Hardy, the company is a typical midsize business in that it stores customer data in a myriad of locations. That data diversity helps drive business agility, but it doesn’t necessarily help compliance.
“We have about 200 systems that we have to go through to check whether or not we have information about a user,” Hardy tells Datanami. “We get lots of GDPR request from people. With CCPA, it’s not going to go down. It’s going to augment, so we know that we’re going to have to scale” the compliance efforts.
Indeed, each time a person files a CCPA or GDPR request with a company, it costs the company an average of about $1,500, according to Gartner. Giving people control over their own personal information, it turns out, isn’t cheap.
“Compliance standards like CCPA, GDPR, and HIPAA have a laundry list of requirements to demonstrate compliance, and oftentimes the complexity of these requirements reach beyond the expertise of IT administrators and MSPs,” says Max Pruger, the general manager of compliance at Kaseya, which develops regulatory compliance solutions. “Despite that fact, almost every business is subject to at least one set of security or privacy rules, if not more, and for most organizations, compliance with these rules is outside their skill set.”
It should come as no surprise, then, that more than half of companies are not ready for CCPA. That’s according to a survey of general counsels of tech companies by Ethyca and TecGC, which found 56% of internal lawyers said their company was unprepared for new privacy regs.
A lack of resources was cited as the number one challenge to compliance by 44% of the survey respondents, while 32% said the growing complexity of regulatory compliance was the main reason. The COVID-19 pandemic and resulting economic recession will undoubtedly exacerbate CCPA and GDPR remediation projects, but don’t expect the government to lend a sympatric ear.
“The pandemic has thrown the world into chaos but these survey results indicate that concerns over privacy have remained a constant,” says Ethyca CEO Cillian Kieran. “Current circumstances have not lessened the urgency of compliance, especially to CCPA. The Californian AG has been explicit.”
The chaos of COVID-19 should not prevent CISOs from taking the necessary steps to secure sensitive data, says Gidi Cohen, the CEO of Skybox Security.
“Measures need to be in place to properly protect consumer data from unauthorized access or breach, and such measures need to be constantly monitored as the network changes,” Cohen says. “This is particularly important during the crisis as the threat landscape is volatile right now; attackers are taking advantage of the general chaos, rapid changes implemented due to work-from-home and overwhelmed security teams. Businesses, hospitals and critical infrastructure have suffered a range of attacks at a time they’re least equipped to handle them.”
Getting the details right on CCPA compliance is important, but you should not lose sight of the bigger picture, which is that there are likely more data regulations in your future. For that reason, the best advice for companies is to invest in building a comprehensive data governance strategy that gives you greater control over the entire data lifecycle, including where it comes from, what it’s collected for, and who has access to it.
Putting a bottoms-up data governance system into place will better prepare you to adapt to the next data regulation that comes down the pike. While it doesn’t appear that the US Congress will pass a national data regulation any time soon, there are several moving through state legislatures.
Building a data governance system that is flexible will help to insulate you against these future laws, says Tim Sadler, the CEO and co-founder of Tessian.
“Overall, CCPA is a step in the right direction. It will force businesses to understand data controls and flow in their organization, and ultimately give consumers more control over their personal information,” he says. “We have to be mindful of the fact that these siloed privacy regulations (CCPA, GDPR) can create confusion and also that businesses may become numb to them as more state-specific laws are implemented.
Some people, such as Sadler, advocate for a global data privacy law that supersedes all local laws. That’s unlikely to happen any time soon, but it shouldn’t stop you from taking the opportunity now to start taking data governance seriously.
Besides minimizing fines, data governance is increasingly being viewed as the key to having a successful data analytics strategy, and that’s just smart business. Collibra co-founder and CTO Stan Christiaens summed it up well in a Datanami column earlier this week:
“Consumer data privacy should be an ethical priority for businesses instead of just a regulatory requirement,” he wrote. “Using data the right way to drive operational decisions pays big dividends in earning customer trust and driving repeat business.”