The California state legislature just adjourned without watering down the California Consumer Privacy Act (as industry lobbyists had hoped), clearing the way for the law to go into effect in January, 2020. The CCPA is the first privacy law in the States similar to the European Union’s GDPR, invoked this year to fine British Airways $230 million over a data breach. Now is the time for organizations to understand their risks under the CCPA in financial terms and to plan a sensible, cost-effective response.
To begin, we’ll explore the regulation and how it could impact companies before digging in to how they can be ready by January 1.
What is the CCPA? The Act is structured to improve the visibility, access, and control a ‘consumer’ (defined as a natural person who is a California resident) has over data stored by a business. As it’s currently written, a consumer has the right to know what personal information has been collected, where it was sourced, how it’s being used, whether it’s being sold/disclosed, and if so, who it’s been sold/disclosed to. Additionally, a consumer has the right to “opt out” of their information being sold to third parties and can request data deletion at any time.
It’s not just California-based businesses that will be affected. The law covers any for-profit company that does business with California consumers and has 1) annual revenues greater than $25 million or 2) holds or discloses the personal information of more than 50 million California residents or 3) earns greater than 50% of annual revenue from selling California residents’ personal information. With parameters this wide, the Act has far-reaching capability that makes it applicable to most global companies.
How are fines structured and enforced?
The California Attorney General is responsible for enforcing the CCPA and can enact penalties of up to $7,500 per intentional violation as a civil penalty. In addition, should consumers pursue private action either as individuals or a class, statutory damages can be between $100-$750 per resident per incident. Upon the submission of a suit, the organization in question will have 30 days to demonstrate the violation has been cured.
That’s a rough translation from legalese, but let’s look at a potential scenario.
Let’s say a class of 100,000 consumers files suit against ABC Corp. claiming that they don’t have appropriate visibility into the use or collection of their personal information or its use by third parties. ABC Corp. will have 30 days to address the concern and take appropriate measures. If after 30 days the violation hasn’t been solved and the suit can proceed, ABC Corp. could be facing upwards of $75,000,000 in statutory damages.
What can companies do to prepare?
Based on my conversations with security teams, legal departments, and risk groups about the CCPA over the past few months, there seems to be a bit of confusion regarding the scope and impact of this regulation. Many people are struggling with gaining a complete understanding of the requirements in order to comply.
At its core, regulators are hoping to ensure organizations have a strong understanding of their data inventory and data flow as it moves through their various systems. These systems will allow for quick response to customer requests for visibility into the use of their personal information as well as the ability to delete if need be. Sounds simple, right?
I think it’s safe to say many organizations wouldn’t be able to do this today. As organizations work towards CCPA compliance, step one will be to track down and inventory customer data. Once that’s complete, they’ll need to update their core systems and establish the necessary workflows to respond to customer requests, and finally purge data that doesn’t provide business value.
Obviously, these projects can be quite massive in scale and require significant investment of time, money, and human capital. In order to justify the expense, organizations can leverage FAIR quantitative risk analysis (the model that powers RiskLens) to assess the loss exposure they could be facing and conduct cost-benefit analysis to demonstrate the risk reduction in pursuing these projects. Not only would this help make the business case internally, but these analyses can be leveraged externally to demonstrate to regulators that your organization understands and is focusing on what matters most.
For example, working with FAIR towards CCPA compliance, organizations can answer questions such as:
- By how much do we decrease the impact of fines and judgements if we rearchitect certain systems and policies to comply?
- How would a re-architecture of systems affect the frequency of a breach by a malicious external actor?
- By how much are we reducing our risk exposure if we implement file level encryption across a key database?
To wrap things up, it’s no secret that privacy and data security are top of mind for governments and regulatory bodies. The CCPA is the first example in the USA and I’m sure more are on the way. As a result, the time is now for organizations to improve their regulatory preparedness and structure their core systems and data flows in a transparent fashion. In that same vein, regulators want to be able to see that you are identifying and understanding what matters most in terms of consumer protection and investing appropriate time and resources to mitigating risk to an acceptable level. By leveraging FAIR, organizations have found an objective model for communicating effectively and confidently regarding their security activities.
Read some relevant RiskLens case studies: