Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


02:00 PM
Anurag Kahol
Anurag Kahol
Connect Directly
E-Mail vvv

Considerations for Seamless CCPA Compliance

Three steps to better serve consumers, ensure maximum security, and achieve compliance with the California Consumer Privacy Act.

The California Consumer Privacy Act (CCPA) went into effect at the beginning of the year, and the enforcement date of July 1 is just around the corner — with no signs of an extension. Organizations are beginning to feel the pressure to comply with the strict requirements that are designed to ensure that the collection, storage, and processing of personal data is consistent, secure, and noninvasive. Unfortunately, many are not ready to take on this new level of consumer privacy regulation, with 63% of respondents from a recent survey stating that working remotely has complicated maintaining compliance with the mandates that are applicable to their organization.

Similarly, many companies delayed reaching General Data Protection Regulation (GDPR) compliance, which resulted in multimillion-dollar fines for companies including Marriott and British Airways. Enterprises that are not CCPA compliant ahead of the enforcement date may face even heftier fees as it calls for fines "...not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater." This means that if CCPA had been in effect at the time of Marriott's breach of 383 million guest records, then the company could have been subjected to fines totaling nearly $280 billion. The regulation affects more than just organizations that have headquarters in California; it extends to all that collect or sell consumer information relating to California residents. The following are considerations all companies should keep in mind to reach and maintain CCPA compliance.

CCPA Is More than Just California's Version of GDP
Organizations may assume that they are compliant with CCPA by virtue of their being compliant with GDPR. The two regulations are designed to offer strong protections for data subjects, and they do have some overlap in terms of overarching goals and specific requirements. However, the two also have significant differences. For example, CCPA's compliance requirements are applicable to information at the household and device level — it is not just about individuals directly.

To stay secure and compliant, enterprises should have a thorough understanding of all applicable regulations and make them an organizational priority. Note that this emphasis will not be without its benefits. Security and compliance can lead to a competitive edge as 87% of consumers are willing to take their business elsewhere if they don't trust how a company is handling their data.

How Companies Can Prepare to Comply and Secure Consumer Data
To better serve consumers, ensure maximum security, and achieve compliance, businesses should follow these steps:

  • Have an accurate inventory of data. According to CCPA, if you don't know what data you have, then you can't ensure you're protecting it. Comprehensive activity logs should track all file, user, and app activity, revealing everything that is happening with individuals' data. Furthermore, companies going through M&A deals should conduct a thorough IT audit so they know what data they're inheriting. It's also critical to have security solutions, such as data loss prevention, that will prevent data leakage.

  • Protect information and access. Beyond keeping track of data, businesses should know how the data is stored and destroyed, how it moves throughout the company, and who has access to it. Organizations that migrate to the cloud allow data to be accessed on numerous applications from various devices, such as employees' personal phones. Employees that access data should authenticate through single sign-on and multifactor authentication to ensure that only authorized employees handle data.

  • Know data jurisdictions. Under CCPA, data may only be stored or transferred where the state has jurisdiction — or where an agreement is in place. If data is stored or transferred without an agreement, organizations should turn to solutions that can encrypt cloud data and give organizations direct control over their own encryption keys. This will ensure compliance under data residency rules, as the data only exists outside of acceptable regions in indecipherable ciphertext format. Tools like selective wipe also allow administrators to remove sensitive information from any device in any location, protecting data from unauthorized users.

If a company were to suffer a data breach, CCPA mandates that it provides detailed documentation on the causes and effects of the breach, as well as security measures taken to address it. As data privacy has increasingly become top of mind for consumers, enterprises must protect data with the proper tools and comply with relevant regulations if they are to avoid security incidents. Moving forward, it would also be wise of companies to stay ahead of regulation enforcement dates as the unexpected can occur at any moment, causing delays in their compliance plans. 

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

As Chief Technology Officer of Bitglass, Anurag Kahol expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks' Security Business Unit before co-founding Bitglass. He received a global education, earning an M.S. in computer ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/8/2020 | 12:21:48 PM
Changing risk landscape
Great, actionable tips here for businesses that haven't yet taken the necessary steps to comply with CCPA. Thanks for sharing.

You mention in your piece that organizations should stay ahead of regulation enforcement dates since the unexpected can occur at any moment. In my opinion, one of the biggest challenges with the ever-changing risk landscape is the immense likelihood a new regulation will pop up at any moment. Take for example the fact that California is already considering passing a second privacy law yet in 2020 - the California Privacy Rights Act.

What's your best advice for organizations to stay ahead of and/or adapt to these changes?
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.