While the GDPR is EU-centric, several countries and states in the U.S. have followed suit with similar privacy initiatives. The CCPA (California Consumer Privacy Act) is a ballot measure set for November 2018, backed by a small team, including a local real estate developer, a former financial executive, and a former Central Intelligence Agency analyst. While several major major tech companies initially opposed the measure, Facebook recently withdrew from the fight. Recent Cambridge Analytica data leaks have added a poignancy to Facebook's role in protecting user data.
"Several countries and states in the U.S. have followed GDPR with similar privacy initiatives. Use public support for the initiative to your advantage."
The CCPA has strong momentum to pass. If it does not, swelling popularity for the legislation is still a call for California companies to clean up their data policies and protect their customers.
CCPA: Major Points to Know
The CCPA would give consumers three major rights:
- Ask companies to disclose what consumer data they have collected.
- Demand that companies not sell the data or share with third parties for business purposes.
- Sue or fine companies that violate the law.
Broken down further, the CCPA asks that businesses that collect personal data disclose the categories of information they are obtaining. If a business opts to sell this information, they must explain to individuals what categories of data they are selling and to whom. If an individual does not want their information sold, the CCPA gives them the right to maintain a consistent level of service and steady costs (i.e., not be discriminated against for not consenting). Under the act, companies are required to clearly display a link that says "do not sell my data" at the bottom of any page that collects personal information. The CCPA also increases fines and penalties for companies that do not take reasonable measures to secure consumer data (as California law already requires).
The act applies only to businesses that earn $50,000,000 a year in revenue, sell 100,000 consumers' records each year, or derive 50% of their annual revenue by selling personal information. Similar to the GDPR, all businesses that sell or collect personal information from Californians, even if they are located outside of California (i.e., Seattle-based Amazon), must comply with the CCPA.
The measure's backers currently have >600,000 signatures, nearly 2X the 366,000 minimum requirement. Present private and public sector coalition backers include the Consumer Federation of California, DuckDuckGo, Consumer Reports, BLUR, DeleteMe, Catalina's List, the Center for Public Interest Law, the Parent Coalition for Student Privacy, and the Academy of Integrative Health & Medicine.
Read the full initiative here.
The Bad News
The practice of collecting consumer data has expanded without regulation for years. Many companies have rapidly built themselves on this information, which underpins their marketing, product development, industry research, and corporate strategy. Now, they must make major operational changes, such as:
- Tighten and clearly communicate the process whereby customers can request access to their data, have it erased, or transfer it to another data controller.
- Create new systems with better user management and/or potentially hire more IT staff.
- Consider outsourcing core services to a managed services provider.
- Work with pared-down data sets in the event that consumers withdraw their information.
California companies that process the data of EU residents are also subject to the same noncompliance fine that EU companies are (the greater of €20 million or 4% of the global annual revenue) as the GDPR deadline approaches on May 25.
Figuring out what to do to bring your company into compliance has never been more important.
The Good News
Since California is a hotbed of startups, many young and medium-sized teams are flexible by nature. In contrast to industries like insurance, where many teams have processes set in stone over decades, many tech companies are more nimble and willing to adapt to changing circumstances. Already, companies are sending out updated privacy-policy emails to their customers:
With the push to comply with the GDPR, and in anticipation of similar regulations like the CCPA, teams are quickly taking action. In addition to email, some best practices are arising on the back end, including identity and access tools, specialized managed service providers, and enhanced anomaly protections for suspicious user behavior.
Many companies are taking advantage of anomaly detection tools to ensure that the users accessing consumer information are (1) who they say they are and (2) behaving appropriately. With large companies giving access to a wide swath of users both internally (IT staff, marketers, managers) and externally (third-party contractors or consultants), it can be difficult to figure out who is logging in when and from where, and who is using what device(s). Implementing identity access and management tools that incorporate anomaly detection can be essential for avoiding fraudulent practices.
With Auth0, anomaly detection is customizable. Once enabled, you can set rules that alert administrators to any suspicious activity and block login attempts by specific users if, say, they are working with data they do not have authorization to use or they fail to enter the system with the correct password.
Teams have been testing and finding early successes with these and other new features, like user dashboard views. Even if you're not a hot tech startup, you still have the advantage of proximity to some of the most cutting-edge technologies and resources in the world.
Seize the opportunity
Instead of facing the CCPA with anxiety or opposition, use the public support for such a measure to your advantage. Get ahead of the curve in rolling out privacy features to your users on the front end, improve your back-end policies with better identity and access management software to protect your customers, and build a reputable brand in difficult times.
Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries.