In the wake of the EU-centric General Data Protection Regulation (GDPR), several other nations, as well as states in the U.S., followed suit with similar privacy regulations. One of the landmark follow-on initiatives, the California Consumer Privacy Act (CCPA), was approved in June 2018. CCPA will take effect on January 1, 2020.
The Act builds on existing California law, which requires businesses to disclose basic information on data collection practices and data breaches.
In January 2020, California residents, who share their state with many of the world’s tech giants, may ask companies handling their data to disclose what personal information has been collected, and how and why they’ve collected it. Residents will also be able to “opt out of” having their data shared with or sold to third parties.
If companies do not or cannot comply — residents have the right to sue. Many companies are already feeling the pressure.
According to Robert L. Wallan, a partner with Los Angeles-based firm Pillsbury Winthrop Shaw Pittman LLP, as cited in Insurance Journal:
“You’re going to see some class-action litigation, my prediction is, pretty early.”
Despite the threat of hefty fines ($7,500 per violated record) — as well as reputational damages — for noncompliance, many teams are still not prepared. If you’re a chief security officer (CSO) or team lead responsible for safeguarding the data of your users, this article provides an update on major points in the current version of the CCPA — and ways to quickly meet these requirements.
In doing so, you could set yourself apart from 86% of organizations who are not yet compliant (according to a TrustArc survey reported on in Fortune), build greater credibility with your users, and set yourself up for more sustainable growth.
CCPA: Major Points (the Good and the Bad) to Know
As of the July 1, 2020 enforcement date, the Attorney General will support California residents who request the following from companies that collect and use their personal information (PI):
- the particular pieces of personal information they collect,
- the categories of sources that provided their data,
- the categories of third parties with whom they share the data, and
- their commercial reasons for collecting or selling the data.
The CCPA broadly defines PI as information about a California resident that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This covers standard items, such as:
- driver’s license and passport numbers, purchasing histories,
- internet activities,
- geolocation data, and
- professional or employment-related information.
It also includes “inferences drawn about a California resident” — personal details such as interests, aptitudes, or predispositions that a company uses to create a customer profile. For a full list of PI as defined by the CCPA, see here.
Under the CCPA, residents may also request that companies delete any personal information (subject to certain exceptions). As mentioned above, they may also opt out having their data sold.
While the Act isn’t set to be enforced until July 1, 2020, it covers personal data twelve months prior to the January 1, 2020 effective date. This means that the CCPA already applies to companies’ data collection, storage, and usage practices today—and throughout 2019. If you don’t have a process in place to handle these specific requests, it’s time to create one.
There are more important criteria to note. If an individual does not want their information sold, the CCPA gives them the right to maintain a consistent level of service and steady costs (i.e., not be discriminated against for not consenting). Under the Act, companies are required to clearly display a link that says "do not sell my data" at the bottom of any page that collects personal information. The CCPA also increases fines and penalties for companies that do not take reasonable measures to secure consumer data—again, a civil penalty of up to $7,500 for each violation.
The Act exclusively applies to businesses that:
- have annual gross revenues greater than $25,000,000;
- buy, sell, or otherwise use personal information of 50,000 consumers, households, or devices each year; or
- derive 50% of their annual revenue by selling personal information.
Since being approved in June 2018, the CCPA has already been amended — and it’s likely to be revised further. Numerous bills could make the CCPA even more stringent. If the CCPA applies to your company, it’s critical that you’re up to speed to avoid penalties. At the same time, this might feel like an overwhelming task when the regulations continue to grow more numerous and complex.
The Bad News
The practice of collecting consumer data has expanded without regulation for years. Many companies rapidly and successfully built themselves on this information, which underpins their marketing, product development, industry research, and corporate strategy. Now, they must make major operational changes, including the following:
- Tighten and clearly communicate the process whereby customers can request access to their data, have it erased, or transfer it to another data controller.
- Create new systems with better user management and/or potentially hire more IT staff.
- Consider outsourcing core services to an expert managed services provider if the company can’t cover expanded data-privacy needs in-house
- Work with pared-down data sets in the event that consumers withdraw their information.
Figuring out what to do to bring your company into compliance has never been more important — but you don’t have to work through it alone.
The Good News
Since California is a hotbed of startups, many young and medium-sized teams are flexible by nature. In contrast to industries like insurance, where many teams have processes set in stone over decades, most tech companies and tech unicorns are more nimble and willing to adapt to changing circumstances. Already, most of these have sent out updated privacy-policy emails to their customers:
In anticipation of CCPA enforcement — as well as the implementation of data privacy policies across 107 nations and nearly 15 other U.S. states — other industries are quickly following suit. In addition to email, some best practices are arising across sectors on the back end, including identity and access tools, specialized managed service providers, more efficient deletion of user data, and enhanced anomaly protections for suspicious user behavior.
Many companies are taking advantage of anomaly-detection tools to ensure that the users accessing consumer information are (1) who they say they are and (2) behaving appropriately. With large organizations giving access to a wide swath of users both internally (IT staff, marketers, managers) and externally (third-party contractors or consultants), it can be difficult to figure out who is logging in when and from where, and who is using what device(s). Implementing identity access and management tools that incorporate anomaly detection can be essential for avoiding fraudulent practices.
With Auth0, anomaly detection is customizable. Once enabled, you can set rules that alert administrators to any suspicious activity and block login attempts by specific users if, say, they are working with data they do not have authorization to use or they fail to enter the system with the correct password.
Teams have been testing and finding early success with these and other new features, like user dashboard views. Even if you're not a hot tech startup, you still have the advantage of proximity to some of the most cutting-edge technologies and resources in the world.
Seize the opportunity
The CCPA has strong momentum to become even more robust. As consumers continue to feel the damages from the massive Target and Equifax breaches, Cambridge Analytica’s data leaks, the recent Marriott breach and British Airways incident — they’re pushing their representatives for change. The original ballot initiative that gave rise to the CCPA had >600,000 signatures when it passed, nearly 2x the 366,000 minimum requirement. Private and public sector coalition backers included the Consumer Federation of California, DuckDuckGo, Consumer Reports, BLUR, DeleteMe, Catalina's List, the Center for Public Interest Law, the Parent Coalition for Student Privacy, and the Academy of Integrative Health & Medicine.
Instead of facing CCPA enforcement with anxiety or opposition, use this swelling public support for the measure to your advantage. Get ahead of the curve in rolling out privacy features to your users on the front end, improve your back-end policies with better identity and access management software to protect your customers, and build a reputable brand in difficult times.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.