Chief security officers already have their hands full with escalating risks and costs of data breaches, not to mention a global talent shortage. Now they’re facing more challenges from regulators, who continue to dole out new requirements for data security and privacy compliance in many markets.
The first jolt came with Europe’s General Data Protection Regulation (GDPR), which introduced sweeping new privacy protections in 2018 for consumers and defined some early guardrails around the use of artificial intelligence. In the UK alone, GDPR’s enforcement arm, the Independent Commissioner’s Office, has already handed out more than $440 million in fines for major breaches and violations.
Now comes an even more stringent set of data-governance controls from the U.S. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, will require companies doing business in the state to obtain customer consent before collecting, using, or selling their data.
The rules will force thousands of companies to upgrade their data infrastructure, adopt new data-management practices, and ensure that staff is trained in new privacy and cybersecurity protocols.
Because of its broad scope and California’s outsized economy, the CCPA will likely influence additional state and federal efforts to regulate data security and consumer privacy. “Regulation like this is here to stay,” says Barbara Kay, senior director of security and risk product marketing at ServiceNow.
Smart companies, she adds, should view CCPA as a strategic opening, not just another compliance headache. “Consider CCPA a ‘1.0 Project’ to adapt your foundation for data usage, access, hygiene, and compliance reporting.”
How CCPA compares with GDPR
California is the world’s fifth-largest economy, with a $2.9 trillion GDP. The CCPA applies to all companies that meet at least one of these three requirements:
- Annual revenue of at least $25 million;
- Handle the personal information of at least 50,000 California consumers, devices, or households;
- At least half of its revenue comes from selling California consumers’ personal information. More than 500,000 U.S. companies meet the threshold, according to the International Association of Privacy Professionals.
The California law has several similarities with GDPR, but there are some important differences. (See box.) Just as GDPR requires companies to obtain consent to collect and use consumer data, CCPA also includes an “opt out” provision for customers to block the sale of their data to third parties. Companies must also add a “Do Not Sell My Personal Information” link on websites and mobile apps.
Under CCPA, covered businesses must also disclose the personal information they collect, sell, and share, and they must delete personal information if consumers request it. In addition, CCPA uses a slightly broader definition of “personal data” than GDPR does, considering a user’s browser and search histories as protected information.
In other ways, the CCPA is less restrictive than the GDPR. For instance, the California law doesn’t require companies to show a “legal basis” for collecting consumer data, such as a contract that requires data collection.
Bottom line: Companies need to understand the differences between CCPA and GDPR. “CIOs who believe they’re automatically compliant with CCPA because they have already ensured GDPR compliance are in for a shock,” says Ray Walsh, a UK-based digital privacy expert.
Even if your company doesn’t come under CCPA jurisdiction, you should pay attention to the new privacy requirements, as more are sure to follow. While the current U.S. Congress has passed several piecemeal bills on data privacy, a comprehensive federal law remains on the drawing board. That’s one reason why more states are expected to follow California’s lead with their own regulations.
The CCPA presents significant challenges. Companies will need to maintain up-to-date data profiles about the information they hold on all customers. They also need to preserve inventories of all customer data on hand, including metadata and licensing information.
That’s more difficult than it sounds, given the rapid growth of enterprise data. (The “Global Datasphere,” a measure of how much data companies generate annually, will expand five-fold by 2025, according to IDC.)
“Data collection has become so routine in many industries that many businesses don’t have complete awareness of what they have,” says Stephen Newman, a partner at law firm Stroock & Stroock & Lavan in Los Angeles.
A bigger challenge is compliance with CCPA’s opt-out provisions. While it’s not clear how many consumers will pursue opt-outs, the numbers could be significant. In a recent trial conducted by privacy-rights vendor Truyo, one major retailer placed a “do-not-sell” link on the home screen of its mobile app. The link took them to a page with more information. Of the 30 million users who saw the link, 4%—or 1.2 million people—clicked through. In 2020, they will have the additional choice of completing the opt-out.
Companies also face new litigation risks under CCPA. Consumers will be able to file class-action lawsuits after a data breach, with damages of up to $750 for each California resident affected. That’s a bigger number than it seems: The $700 million settlement reached after the massive 2017 Equifax data breach pays out just $125 to each claimant, and only if they meet specific requirements.
It will be neither easy nor cheap for companies to deal with these new risk and compliance challenges. The silver lining is that building stronger risk management muscles can have longer-term payoffs. “They can be a good driver of integrating risk management into day-to-day experiences,” says ServiceNow’s Kay. “That’s the reality of the digital world we navigate today.”
|Issue||General Data Protection Regulation (GDPR)||California Consumer Privacy Act (CCPA)|
|Covered businesses||Established in EU or offersing goods and services to EU residents||Companies with revenues of $25M; or with data on 50K CA residents/households/devices; or with 50% revenues derived from selling personal information|
|Enforcement arm||Authority of EU member state||California attorney general|
|Allowance for civil penalties||Determined as % of gross revenues||Up to $2,500 for each violation or $7,500 for each intentional violation|
|'Cure' period for breaches||None provided||Required within 30 days of notification|
|Breach reporting timeline||72 hours after awareness of breach||"In the most expedient time possible"|
|Private right of action||Individuals can pursue claims for damages||Individuals can bring actions to recover damages up to $750 per incident or actual damages, whichever is greater|
|Consumer access requests||Companies must provide at least one method for service requests||Companies must provide two methods (website and telephone)|
|'Do Not Sell My Personal Information' webpage||Not required||Required|