What does the enforcement of CCPA mean for businesses?

Written by Martin Sugden, CEO Boldon James, a HelpSystems company 

Last month saw the California Consumer Privacy Act (CCPA) enter the enforcement phase on 1st July, despite lobbying from some business groups to delay it, with many stating that owing to the impact of COVID-19, they wouldn’t be able to dedicate the manpower, resources and time to CCPA in order to prepare for it.

The implementation means that California’s Attorney General (AG) will be able to take direct action against businesses that violate the privacy protection requirements of the CCPA. The law has been in effect since 1st January 2020, but until now enforcement was limited to civil actions brought by consumers against violators.

Over the last few months, the AG’s office has been busy finalising how to assess penalties, how to define a breach and how to justify the size of a fine levied for violating the CCPA. Already, the extent to which businesses are concerned about meeting these new regulations is evidenced by the calls to delay the start of enforcement. However, California’s Attorney General Xavier Becerra was unmoved on the timing, stating that enforcement of the regulation would commence as planned and saying: “We encourage businesses to be particularly mindful of data security in this time of emergency.”

For those less familiar, the CCPA is a state-wide data privacy law that regulates how businesses all over the world can handle the personal information (PI) of California residents.  It is the US (Californian) counterpart of the European General Data Protection Regulation (GDPR) which came into force in May 2018.  However, the difference between GDPR and CCPA is that the CCPA’s definition is extra-personal, meaning that it includes data that is not specific to an individual, but is categorised as household data, whereas the GDPR remains exclusively individual.

Not long ago organisations operated closed systems, with most data processing taking place in their own environment and the ability to communicate directly with the outside world limited to email and telephone. The data protection laws in place then were benign, with only repeat or very serious offenders receiving a fine. The data protection landscape and its associated compliance environment changed fundamentally with the implementation of the GDPR, with many other privacy regulations following suit around the globe. California is the first US state to address the issue, however, Singapore, India and many other large economies have already published GDPR equivalents each with their own local flavour.

Now that CCPA is in force, it will be interesting to see what size of fines and types of action will be issued. It was about a year after the launch of GDPR, that the first fines were issued by the ICO and they left no one in any doubt that this regulation has teeth. Record financial penalties for organisations such as Google, Facebook, Marriott and British Airways were a salutary lesson to businesses across the board that they cannot afford to fail against these regulations. Increasing public awareness of privacy rights means the damage is not just financial, but reputational too, a factor that is infinitely more difficult to measure, but can be catastrophic and long-lasting.

The tone from the various regulatory bodies’ communications around COVID-19 indicates that businesses cannot afford to take their eye off the data protection ball, even during these challenging times and California having gone ahead of the other states is clearly serious about data protetction.

When it comes to privacy, most countries have aligned to the standard of GDPR with some appropriate domestic legislation incorporated, such as I’ve indicated above with regard to CCPA. Therefore, I would say that if organisations work to incorporate GDPR requirements – including the mandate to ensure data protection by design and default – into their compliance regime, they won’t go far wrong.

So how do you comply and get some value for your organisation? While compliance with data protection regulations is non-negotiable and the penalties for failure are severe, it is a mistake to see compliance solely as an inevitable burden. With an intelligent and proactive approach, organisations can pivot from viewing compliance only as an expense and turn it into a positive competitive differentiator and one that, over the long term, will deliver efficiencies and cost reductions.

With this in mind, what steps should organisations take to sensibly adopt a better data protection posture and with it, build a firm foundation towards onward compliance? This is where data classification is a robust and critical first step in any compliance and data protection strategy.   Data classification is defined as a tool for the categorisation of data to enable organisations to effectively answer questions around what data types are available and where and how certain data is located, shared, and used.  Here at Boldon James we have been helping organisations for over 35 years put in place the right data classification and secure messaging, to meet their compliance objectives.  Therefore, as CCPA is now in force, I thought it would be helpful to share a few pointers to home in on when looking at data classification and your compliance strategy:

  • IT security and operations do not own business data – so do not look to the CISO for all the answers, his job is to help you, not do your job.
  • Identify and engage stakeholders right across the business, including risk, legal, and compliance. This is critical to the success of your compliance programme.
  • Data stewardship will correctly align to regulations only when the data owners are identified and engaged.
  • Organisations must educate users about the sensitivity of data and ensure the appropriate controls are in place around confidential and sensitive information.
  • Alert users in real time that their actions may involve risk, for example, when data is leaving the organisation to warn them before sending messages that contain sensitive information. Allowing an automated gateway to put it in a queue slows the business down and helps no one.
  • The first step is the need to classify or label data with visual labels to highlight any specific handling requirements.
  • Then, secondly, ensure metadata labels can be read by other security tools to enforce security controls to stop unauthorised distribution of data.
  • Link data classification tools to solutions such as DLP, encryption, access control and rights management to enhance overall data protection.
  • Make sure you provide critical audit information on classification events to enable remediation activity and determine your compliance position to the regulatory authorities.

It will be interesting to see how CCPA is adopted and how draconian the first few fines are.  Hopefully, the pointers I’ve outlined above will set you on the right path and keep your business out of the headlines.  If you are interested in finding out more about how data classification can help, why not download our whitepaper Classification By Design: The Foundation of Effective Data Protection Compliance.