I was recently at a conference in the Bay Area attended by CISO’s, Chief Privacy Officers, and Chief Compliance Officers. When asked about the long road to prepare and comply with GDPR, their responses often sounded like a fatigued, yet proud runner completing their very first marathon (some are still running to get compliant).
With the California Consumer Privacy Act (CCPA) recently passed in June, many follow up questions revolved around how organizations should address this new set of compliance requirements. A long sigh typically prefaced their response to dealing with another round of data privacy regulations—this time born in the U.S.
Their responses often referred to the CCPA as “GDPR-lite” or “US-GDPR.” Those that have already taken steps to comply with GDPR will naturally have less of an uphill trek to address the CCPA, but for others it will not be a “lite” experience and will require flexing new compliance muscles to meet the requirements.
The key provisions in the CCPA include the following:Right to access all data collected about you by a business
• Right to opt-out of the sales of your personal information
• Right to delete your data
• Right to data portability
• Right to private action when companies breach your data
Though there are many similarities to GDPR, there are also some key aspects of the act that differ.
The CCPA applies to for-profit entities that do business in California that either have over $25M in annual revenue, annually process personal information of more than 50k California residents, or where more than half of annual revenue originates from the sale of personal information.
There is some role differentiation between the two, though more in the terminology. With GDPR a data subject is considered to be any EU citizen, data controllers assume responsibility in protecting personal data, and data processors are external affiliates that process personal data on behalf of the controller. Under the CCPA consumers are any California resident, businesses are for-profit entities that meet the criteria above, service providers are for-profit entities that process data on behalf of the business, and third parties are any entity not defined as a business or service provider.
When it comes to what is considered personally identifiable information (PII) the CCPA takes a much broader stance in what is covered. In addition to the typical name, address, or phone number included in GDPR, data such as records of purchasing histories, internet activities including browsing and search, and geolocation data are now considered PII. At the end of the day under the CCPA, it doesn’t really matter what type category the information falls under if it can identify a consumer or a household.
Unlike the GDPR penalties for noncompliance, which takes into account 10 criteria to determine the amount of the fine up to the greater of €20M or 4% of annual global revenue, the CCPA outlines the following fines:
• Up to $7,500 per violation for noncompliance
• Up to the greater of $750 in statutory damages per incident, per customer or actual damages for data breach
These fines may seem like they lack bite, but a noncompliance violation affecting just 1,000 customers would lead to a $7.5M fine. Now imagine the potential fine impacting 10,000 or 100,000 customers.
Organizations that fall under the purview of GDPR have already had a primer into complying with data privacy regulations. Those that have experienced a smoother journey to GDPR compliance have done so by leveraging identity, and this can also apply to the CCPA. With an identity-centric approach you can better assess risk by knowing where PII exists, who has access, and where you are exposed. You can then implement controls to protect access to PII according to privacy requirements, and automate the detection of non-compliant activity. It was no surprise to hear one Chief Privacy Officer mention that identity was key to help address GDPR, and will help with future data privacy initiatives.
So what can organizations do to position themselves for success as they get ready for the CCPA? The first step is to establish insight into where data resides, what sensitive data it contains, and who has access to it. By implementing an identity program that extends across all users, applications, and data you can:
• Gain visibility to PII across the enterprise
• Control who should have access
• Monitor who is accessing customer data
• Demonstrate and report on compliance
Weaving identity governance into the fabric of your data privacy strategy will enable you to strengthen your security posture, incorporate automation to efficiently govern data across the enterprise, and prepare your organization to comply with the CCPA along with the inevitable wave of other new privacy regulations.
Sign up for an upcoming live demo to learn more about how a comprehensive identity framework can help put your organization on the right path to CCPA compliance.