Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

4/30/2019
02:30 PM
Chris Babel
Chris Babel
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

California Consumer Privacy Act: 4 Compliance Best Practices

Companies that get ahead of the January 2020 data privacy deadline can minimize the risk of sanctions and also gain a competitive advantage in the marketplace.

The California Consumer Privacy Act (CCPA) — the toughest privacy law in the United States — will go into effect January 1, 2020, with enforcement beginning no later than July 1, 2020.

The CCPA, like the existing EU General Data Protection Regulation (GDPR), broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. For compliance leaders, such as chief privacy officers (CPOs) and data protection officers (DPOs), the act represents an opportunity to operationalize privacy and make it a strategic priority for gaining competitive leverage. 

Who Should Care About CCPA?
In brief, anyone who has customers or employees in California should care. In greater detail, the CCPA affects companies that:

  • receive personal information from California residents either directly or indirectly, and that annually generate revenue in excess of $25 million;
  • receive the personal information of 50,000 or more California residents, devices, or households annually (directly or indirectly), or derive at least 50% of revenue from the sale of personal information about California residents.

While the effective date is January 1, 2020, consumers have the right to request the categories of personal information collected by companies within the preceding 12 months. This means that companies will need the records of personal information they collect dating back to January 1, 2019. Organizations that are affected by the CCPA and fail to comply risk being assessed fines of between $2,500 and $7,500 per violation.

CCPA Best Practices
To prepare for the impending regulation, CPOs and DPOs should secure a budget, develop the key processes, and evaluate tools that will help their organizations build and implement a compliance plan. The plan will need to include a comprehensive data inventory describing which business processes are in the scope of CCPA and where the gaps are in compliance processes. Compliance leaders should adopt the following best practices to help achieve CCPA compliance:

● Transparency in Policy Language. By January 2020, businesses must provide consumers with specific information pertaining to the new regulation. For example, consider when a consumer downloads a ride-sharing application. The user will receive a privacy prompt asking if they are OK with the company collecting certain information and must hit "accept" or a similar call-to-action button to either designate they understand the policy or that they would like to read the full policy. In addition, the app must also update those prompts to explain how the CCPA affects what rights users have related to privacy protection, and how those rights differ from pre-CCPA rights. To comply with this mandate, organizations must update privacy notices at least annually by describing how CCPA statutes affect data collection and users' privacy options, ensure those notices meet the transparency requirements of any applicable laws, and formally document that process.

● Looping in Data Processors. Businesses are now required to report consumer data deletion requests from a company's database to its service providers, which are also liable for civil penalties under the CCPA for noncompliance. If a retail company collects user data, it must also ensure it has evaluated and determined that any customer relationship management (CRM) service provider with which it works is compliant with CCPA regulations. Service providers must also ensure they have the requisite privacy processes and mechanisms in place to support companies that use their services.

● Recourse for Data Requests. Consumers will have the right to obtain, within 45 days, their personal information from a business. Consumers also have the right to request their personal information in a format that allows them to transmit it to another organization. To ensure compliance, organizations will need to review how they currently respond to data access requests, assess how well those processes work, address compliance gaps, and find ways to automate, scale, and simplify manual compliance-related processes.

● Data Deletion Standards. Consumers may request that businesses delete their personal information. Companies will need processes and mechanisms to respond to consumer deletion requests, identify where the data resides, and demonstrate to the customer that the information has been removed from their databases.

CCPA Is Not GDPR
Businesses that complied with GDPR by creating comprehensive data governance practices, records of processing, and individual rights procedures will have a head start on dealing with CCPA. However, under the CCPA, all companies that fall under the CCPA jurisdiction — whether or not they are affected by GDPR — will need to enhance their data management practices and expand their individual rights processes by the January 1, 2020, deadline. Companies that get ahead of CCPA compliance will not only minimize the risk of sanctions but be able to carve out a greater competitive edge over companies that lag behind.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18610
PUBLISHED: 2019-11-22
An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary syste...
CVE-2019-9536
PUBLISHED: 2019-11-22
Apple iPhone 3GS bootrom malloc implementation returns a non-NULL pointer when unable to allocate memory, aka 'alloc8'. An attacker with physical access to the device can install arbitrary firmware.
CVE-2013-6811
PUBLISHED: 2019-11-22
Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credentials or enable remote management services to (1) Custom Services in Port Forwarding...
CVE-2013-6880
PUBLISHED: 2019-11-22
Open redirect in proxy.php in FlashCanvas before 1.6 allows remote attackers to redirect users to arbitrary web sites and conduct cross-site scripting (XSS) attacks via the HTTP Referer header.
CVE-2019-15652
PUBLISHED: 2019-11-22
The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices before 18.1.0 doesn't properly sanitize input for error messages, leading to the ability to inject client-side code.