Understanding California’s Consumer Privacy Act: The ‘American GDPR’

As enterprises around the world deal with legislative backlash following years of unfettered data collection, companies are confused about how to achieve compliance not only with the General Data Protection Regulation (GDPR), but also with California’s Consumer Privacy Act (CCPA). If you are one of them, rest assured that you are not alone in your confusion — and you’d better believe there’s more to come.

Several months after GDPR went into effect, 27 percent of companies reported that they had yet to start the GDPR compliance process, according to GDPR.Report. Still, the threat of additional regulations looms.

When the California legislation goes into effect on Jan. 1, 2020, more than 500,000 American businesses will be subject to the CCPA, according to a recent report from Varonis. In addition, 58 percent of companies have more than 100,000 folders open to everyone. Sensitive data is at risk, and in 15 months, companies will be required to allow consumers to review the data they have collected on them, demand deletion of data and opt out of having the data sold to third parties. Organizations face fines of $7,500 for violations.

Navigating the ‘American GDPR’

Since Labor Day weekend, two new state law amendments have come into effect. In its privacy statute, Colorado expanded the terms of what data will be protected. Additionally, the statute now includes a mandated 30-day breach notification. The clock starts ticking the moment the company discovers the breach. New York’s department of financial services similarly updated its cybersecurity guidance under NY State 23 NYCRR 500 Law.

The new requirements mandate risk assessments by application, as well as limits on data retention. The revisions added information access monitoring requirements and stipulated that all private information be encrypted, both at rest and in transit.

“The web of cyber data privacy laws continues to grow both in volume and complexity,” said Pravin Kothari, CEO of cloud security vendor CipherCloud, in an email interview. “These sort of regulations will need to be handled by Federal omnibus. The expense and risk to businesses in attempting to implement a rolling thunder of different regional and/or state data privacy laws will be overpowering.”

With increasing focus on regulations, the burden is falling on companies to manage and secure sensitive data while also providing customers greater control over their sensitive information. As if complying with GDPR and CCPA were not complicated enough, additional legislation is likely forthcoming in the U.S. — other states are bound to introduce their own laws, which sets a high bar for U.S. companies when it comes to data privacy.

There’s Still Time to Prepare for the Consumer Privacy Act

The good news is that Jan. 1, 2020 is still about 15 months away. While companies are all over the spectrum in terms of how far they have to go, there is still time to work through some of the confusion the market is sensing to iron out the compliance wrinkles.

“Determining the best practices for compliance with the upcoming laws depends in large part [on] how risk-averse companies are,” said Arshad Noor, creator and chief technology officer (CTO) of StrongKey. “Those companies that are already compliant with GDPR will find themselves well-prepared to deal with new acts across the U.S. in different states.”

While GDPR defines a data subject as a human being and any data above them, California defines the person as a human, business, entity or object, according to Noor.

“We tend to think of consumer privacy as my information, name, date of birth, gender, but California has created categories of data which include metadata, IP addresses and more,” Noor said. “It’s an interesting notion about privacy that I don’t think anyone has thought of.

Between now and 2020, a lot will be clarified about the different categories of data and the fundamentals of what needs to be protected. But don’t wait for clarification to begin moving toward compliance. The first step is to establish a policy that guides the company’s day-to-day practices. Once that policy is defined, Noor said, “Look at specific requirements of the law. Companies will have to have a link or button on the home page that allows a consumer to say ‘Please delete all my information.'”

Currently, the law requires that websites or businesses dealing with California customers allow those users to make a direct request of their right to be forgotten. That will be mandatory, so processes must be in place for compliance. Others stipulations are not as explicitly stated, so now is the time to start thinking about what companies should be doing. The law does provide for companies to collect data they need for doing business, which is why each organization needs to be able to identify what information they actually need.

Take a Minimalist Approach to CCPA Compliance

To start your CCPA compliance journey, identify where and how your organization’s data is stored and then begin the process of permanently deleting any clutter out of those systems and clearing it up.

“If it’s not necessary to conduct business, consider getting rid of that information,” Noor advised. “They need to know which applications use what data and where they have stored it. So, they should begin to take an inventory of the data, starting now.”

In addition, there may be residual information left after your cleanup, so it’s important to think about protecting what is left. At a minimum, companies should encrypt the information and eliminate user passwords from web applications. Many applications may have sensitive information, so companies need to identify that data and choose whether to keep what they have collected.

“They should define how they use the data and make that visible in their policy as well as in their notices to consumers,” Noor explained. “Be clear about what information is being collected, how it is used and to whom it is sold.”

Improving Compliance — and Guidelines

Once a policy is in place, the next step is to implement procedures. Identifying appropriate procedures requires asking questions such as:

  • How do I address requests from consumers in my ecosystem?
  • How do consumers delete their data?
  • What is the process for identifying all information across all systems?

By addressing these gaps now, you can keep from getting caught in the regulatory cold.

When California’s data breach prevention law was made public, most jurisdictions didn’t want to go anywhere near it. The legislature didn’t take long to issue federal law. While the U.S. government could choose not to propose federal privacy protection legislation, businesses should be working with congress to try to bring uniform law. Waiting for congress to act may take too long and could result in 48 more different pieces of legislation. Talk about a compliance nightmare.

Zurkus is an influential writer covering a range of security topics with a focus on mitigating risks to businesses. Her...