The California Consumer Privacy Act (CCPA) went into effect at the beginning of the year, and the enforcement date of July 1 is just around the corner — with no signs of an extension. Organizations are beginning to feel the pressure to comply with the strict requirements that are designed to ensure that the collection, storage, and processing of personal data is consistent, secure, and noninvasive. Unfortunately, many are not ready to take on this new level of consumer privacy regulation, with 63% of respondents from a recent survey stating that working remotely has complicated maintaining compliance with the mandates that are applicable to their organization.
Similarly, many companies delayed reaching General Data Protection Regulation (GDPR) compliance, which resulted in multimillion-dollar fines for companies including Marriott and British Airways. Enterprises that are not CCPA compliant ahead of the enforcement date may face even heftier fees as it calls for fines "...not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater." This means that if CCPA had been in effect at the time of Marriott's breach of 383 million guest records, then the company could have been subjected to fines totaling nearly $280 billion. The regulation affects more than just organizations that have headquarters in California; it extends to all that collect or sell consumer information relating to California residents. The following are considerations all companies should keep in mind to reach and maintain CCPA compliance.
CCPA Is More than Just California's Version of GDP
Organizations may assume that they are compliant with CCPA by virtue of their being compliant with GDPR. The two regulations are designed to offer strong protections for data subjects, and they do have some overlap in terms of overarching goals and specific requirements. However, the two also have significant differences. For example, CCPA's compliance requirements are applicable to information at the household and device level — it is not just about individuals directly.
To stay secure and compliant, enterprises should have a thorough understanding of all applicable regulations and make them an organizational priority. Note that this emphasis will not be without its benefits. Security and compliance can lead to a competitive edge as 87% of consumers are willing to take their business elsewhere if they don't trust how a company is handling their data.
How Companies Can Prepare to Comply and Secure Consumer Data
To better serve consumers, ensure maximum security, and achieve compliance, businesses should follow these steps:
- Have an accurate inventory of data. According to CCPA, if you don't know what data you have, then you can't ensure you're protecting it. Comprehensive activity logs should track all file, user, and app activity, revealing everything that is happening with individuals' data. Furthermore, companies going through M&A deals should conduct a thorough IT audit so they know what data they're inheriting. It's also critical to have security solutions, such as data loss prevention, that will prevent data leakage.
- Protect information and access. Beyond keeping track of data, businesses should know how the data is stored and destroyed, how it moves throughout the company, and who has access to it. Organizations that migrate to the cloud allow data to be accessed on numerous applications from various devices, such as employees' personal phones. Employees that access data should authenticate through single sign-on and multifactor authentication to ensure that only authorized employees handle data.
- Know data jurisdictions. Under CCPA, data may only be stored or transferred where the state has jurisdiction — or where an agreement is in place. If data is stored or transferred without an agreement, organizations should turn to solutions that can encrypt cloud data and give organizations direct control over their own encryption keys. This will ensure compliance under data residency rules, as the data only exists outside of acceptable regions in indecipherable ciphertext format. Tools like selective wipe also allow administrators to remove sensitive information from any device in any location, protecting data from unauthorized users.
If a company were to suffer a data breach, CCPA mandates that it provides detailed documentation on the causes and effects of the breach, as well as security measures taken to address it. As data privacy has increasingly become top of mind for consumers, enterprises must protect data with the proper tools and comply with relevant regulations if they are to avoid security incidents. Moving forward, it would also be wise of companies to stay ahead of regulation enforcement dates as the unexpected can occur at any moment, causing delays in their compliance plans.