The California Consumer Privacy Act (CCPA) entered the enforcement phase on 1st July 2020. It happened despite lobbying from some business groups to delay it. Many stated that owing to the impact of COVID-19, they wouldn’t be able to dedicate the manpower, resources and time to CCPA to prepare for it.
The implementation means that California’s Attorney General (AG) will be able to take direct action against businesses that violate the privacy protection requirements of the CCPA. The law has been in effect since 1st January 2020. Until now, however, enforcement was limited to civil actions brought by consumers against violators.
Over the last few months, the AG’s office has been busy finalising how to assess penalties, how to define a breach and how to justify the size of a fine levied for violating the CCPA. Already, the extent to which businesses are concerned about meeting these new regulations is evidenced by the calls to delay the start of enforcement. However, California’s Attorney General Xavier Becerra was unmoved on the timing. He stated that enforcement of the regulation would commence as planned saying: “We encourage businesses to be particularly mindful of data security in this time of emergency.”
What is the California Consumer Privacy Act?
The CCPA is a state-wide data privacy law that regulates how businesses all over the world can handle the personal information (PI) of California residents. It’s the US (Californian) counterpart of the European General Data Protection Regulation (GDPR) which came into force in May 2018. However, the difference between GDPR and CCPA is that the CCPA’s definition is extra-personal. It means that it includes data that is not specific to an individual but is categorised as household data. The GDPR, by comparison, remains exclusively individual.
Not long ago, organisations operated closed systems. Most most data processing took place in their own environment. The ability to communicate directly with the outside world was limited to email and telephone. The data protection laws in place then were benign, with only repeat or very serious offenders receiving a fine. The data protection landscape and its associated compliance environment changed fundamentally with the implementation of the GDPR. It led to many other privacy regulations following suit around the globe. California is the first US state to address the issue. However, Singapore, India and many other large economies have already published GDPR equivalents, each with their own local flavour.
What actions does the CCPA enable?
Now that CCPA is in force, it will be interesting to see what size of fines and types of action will be issued. It was about a year after the launch of the GDPR that the ICO issued the first fines. They left no one in any doubt that this regulation has teeth. Record financial penalties were issued for organisations such as Google, Facebook, Marriott and British Airways. These were a salutary lesson to businesses across the board that they cannot afford to fail against these regulations. Increasing public awareness of privacy rights means the damage is not just financial, but reputational too. It is a factor that is infinitely more difficult to measure but can be catastrophic and long-lasting.
The tone from the various regulatory bodies’ communications around COVID-19 indicates that businesses cannot afford to take their eye off the data protection ball, even during these challenging times. California, having gone ahead of the other states, is clearly serious about data protection.
When it comes to privacy, most countries have aligned to the standard of GDPR with some appropriate domestic legislation incorporated, such as I’ve indicated above with regard to CCPA. Therefore, I would say that if organisations work to incorporate GDPR requirements – including the mandate to ensure data protection by design and default – into their compliance regime, they won’t go far wrong.
Getting value out of compliance
So how do you comply and get some value for your organisation? Compliance with data protection regulations is non-negotiable, and the penalties for failure are severe. Yet it is a mistake to see compliance solely as an inevitable burden. With an intelligent and proactive approach, organisations can pivot from viewing compliance only as an expense and turn it into a positive competitive differentiator. One that, over the long term, will deliver efficiencies and cost reductions.
With this in mind, what steps should organisations take to adopt a better data protection posture sensibly and with it, build a firm foundation towards onward compliance? This is where data classification is a robust and critical first step in any compliance and data protection strategy. Data classification is defined as a tool for the categorisation of data to enable organisations to effectively answer questions around what data types are available and where and how certain data is located, shared, and used.
At Boldon James, we have been helping organisations for over 35 years put in place the right data classification and secure messaging, to meet their compliance objectives. Therefore, as CCPA is now in force, I thought it would be helpful to share a few pointers to home in on when looking at data classification and your compliance strategy:
Nine steps to improve responsibility
- IT security and operations do not own business data. Do not look to the CISO for all the answers. His job is to help you, not do your job.
- Identify and engage stakeholders right across the business, including risk, legal, and compliance. This is critical to the success of your compliance programme.
- Data stewardship will correctly align to regulations only when the data owners are identified and engaged.
- Organisations must educate users about the sensitivity of data. They must ensure the appropriate controls are in place around confidential and sensitive information.
- Alert users in real-time that their actions may involve risk, for example, when data is leaving the organisation. Warn them before sending messages that contain sensitive information. Allowing an automated gateway to put it in a queue slows the business down and helps no one.
- Classify or label data with visual labels to highlight any specific handling requirements.
- Ensure metadata labels can be read by other security tools to enforce security controls to stop unauthorised distribution of data.
- Link data classification tools to solutions such as DLP, encryption, access control and rights management. It will enhance overall data protection.
- Make sure you provide critical audit information on classification events. It enables remediation activity and determines your compliance position to the regulatory authorities.
Find out more
It will be interesting to see how CCPA is adopted and how draconian the first few fines are. Hopefully, the pointers I’ve outlined above will set you on the right path and keep your business out of the headlines. If you are interested in finding out more about how data classification can help, why not download our whitepaper Classification By Design: The Foundation of Effective Data Protection Compliance.
Boldon James is an industry specialist in data classification and secure messaging, delivering globally-recognised innovation, service excellence and technology solutions that work. Part of the QinetiQ group, a major UK plc and FTSE 250 company, we integrate with powerful data security and governance ecosystems to enable customers to effectively manage data, streamline operations and proactively respond to regulatory change. We’re a safe pair of hands, with a 30 year heritage of delivering for the world’s leading commercial organisations, systems integrators, defence forces and governments.