Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

4/30/2019
02:30 PM
Chris Babel
Chris Babel
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

California Consumer Privacy Act: 4 Compliance Best Practices

Companies that get ahead of the January 2020 data privacy deadline can minimize the risk of sanctions and also gain a competitive advantage in the marketplace.

The California Consumer Privacy Act (CCPA) — the toughest privacy law in the United States — will go into effect January 1, 2020, with enforcement beginning no later than July 1, 2020.

The CCPA, like the existing EU General Data Protection Regulation (GDPR), broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. For compliance leaders, such as chief privacy officers (CPOs) and data protection officers (DPOs), the act represents an opportunity to operationalize privacy and make it a strategic priority for gaining competitive leverage. 

Who Should Care About CCPA?
In brief, anyone who has customers or employees in California should care. In greater detail, the CCPA affects companies that:

  • receive personal information from California residents either directly or indirectly, and that annually generate revenue in excess of $25 million;
  • receive the personal information of 50,000 or more California residents, devices, or households annually (directly or indirectly), or derive at least 50% of revenue from the sale of personal information about California residents.

While the effective date is January 1, 2020, consumers have the right to request the categories of personal information collected by companies within the preceding 12 months. This means that companies will need the records of personal information they collect dating back to January 1, 2019. Organizations that are affected by the CCPA and fail to comply risk being assessed fines of between $2,500 and $7,500 per violation.

CCPA Best Practices
To prepare for the impending regulation, CPOs and DPOs should secure a budget, develop the key processes, and evaluate tools that will help their organizations build and implement a compliance plan. The plan will need to include a comprehensive data inventory describing which business processes are in the scope of CCPA and where the gaps are in compliance processes. Compliance leaders should adopt the following best practices to help achieve CCPA compliance:

● Transparency in Policy Language. By January 2020, businesses must provide consumers with specific information pertaining to the new regulation. For example, consider when a consumer downloads a ride-sharing application. The user will receive a privacy prompt asking if they are OK with the company collecting certain information and must hit "accept" or a similar call-to-action button to either designate they understand the policy or that they would like to read the full policy. In addition, the app must also update those prompts to explain how the CCPA affects what rights users have related to privacy protection, and how those rights differ from pre-CCPA rights. To comply with this mandate, organizations must update privacy notices at least annually by describing how CCPA statutes affect data collection and users' privacy options, ensure those notices meet the transparency requirements of any applicable laws, and formally document that process.

● Looping in Data Processors. Businesses are now required to report consumer data deletion requests from a company's database to its service providers, which are also liable for civil penalties under the CCPA for noncompliance. If a retail company collects user data, it must also ensure it has evaluated and determined that any customer relationship management (CRM) service provider with which it works is compliant with CCPA regulations. Service providers must also ensure they have the requisite privacy processes and mechanisms in place to support companies that use their services.

● Recourse for Data Requests. Consumers will have the right to obtain, within 45 days, their personal information from a business. Consumers also have the right to request their personal information in a format that allows them to transmit it to another organization. To ensure compliance, organizations will need to review how they currently respond to data access requests, assess how well those processes work, address compliance gaps, and find ways to automate, scale, and simplify manual compliance-related processes.

● Data Deletion Standards. Consumers may request that businesses delete their personal information. Companies will need processes and mechanisms to respond to consumer deletion requests, identify where the data resides, and demonstrate to the customer that the information has been removed from their databases.

CCPA Is Not GDPR
Businesses that complied with GDPR by creating comprehensive data governance practices, records of processing, and individual rights procedures will have a head start on dealing with CCPA. However, under the CCPA, all companies that fall under the CCPA jurisdiction — whether or not they are affected by GDPR — will need to enhance their data management practices and expand their individual rights processes by the January 1, 2020, deadline. Companies that get ahead of CCPA compliance will not only minimize the risk of sanctions but be able to carve out a greater competitive edge over companies that lag behind.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

As CEO of TrustArc, formerly known as TRUSTe, Chris has led the company through significant growth and transformation into a leading global privacy compliance and risk management company. Before joining TrustArc, Chris spent over a decade building online trust, most recently ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13640
PUBLISHED: 2019-07-17
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
CVE-2019-5222
PUBLISHED: 2019-07-17
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful ...
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...