The rolling tide that is GDPR … say hello to the CCPA

Well, that didn’t take long! Now that the deadline has come and gone for any business that is subject to the EU’s GDPR, I was wondering how long it would be before some legislature, here in the U.S., would follow the EU’s lead and implement their own version of GDPR. As usual, California did not disappoint.

At whirlwind speed, and bowing to political pressure from a privacy rights advocate, the California legislature passed the California Consumer Privacy Act (CCPA). But, unfortunately for the businesses that must comply with the CCPA, less actual thought was put into the drafting of this Act than any piece of privacy legislation I’ve seen in the past two decades. Don’t get me wrong, I think the Act has some good provisions to it. But, it is deeply flawed, and my hope is that California lawmakers will come to their senses and fix the CCPA before it goes into effect on January 1, 2020. Whether they actually make the necessary repairs or not, this new gift from California will cost businesses across the U.S. billions of dollars in new compliance investments.

So, what’s in the CCPA? There are a few key points to understand:

• The Act doesn’t apply to all businesses, but the definition of who it does apply to is pretty broad, so you’ll need to look into that.
• Under the Act, the definition of “personal data” has been significantly broadened beyond its current, generally accepted, definition, to include a range of individual, or family, identifiers.
• The Act establishes a right to access and a right to request information, which, like GDPR, will allow any California resident the right to see what information a business has about them, and to do so up to twice each year.
• Also, like GDPR, the Act establish what is commonly referred to as the “right to be forgotten”. This is a particularly challenging area of the Act given how businesses leverage technology to manage data through the use of third-party cloud solutions and distributed formats.
• Most notably, the CCPA may establish (there is still some debate about this because of the wording of the Act) a right of individual action. This would allow individuals to sue businesses, not only for actual violations of the CCPA, with regards to their personal data, but also for a business’ failure to comply with the provisions of the CCPA in the absence of individual damage.

So, why should you care? Well, as with most regulations, the riskiest point of failure as businesses seek to achieve compliance rests with the individuals who use the protected data. Like many businesses subject to GDPR you’ll need to train your employees to assure awareness of, and compliance with, the CCPA’s requirements. Most compliance violations begin with an individual doing something wrong, and their actions, often unintentional, have the potential to cost your business in fines, reputational damage, and lawsuits. You’re also going to want to get ahead of the CCPA while there is runway to do so. There will likely be changes between now and 2020, so you’ll need to stay on top of them. Even if you do not conduct business with California residents I expect that other states will follow California’s lead and pass similar legislation pretty quickly.

We’re on an upswing of new regulations so hold on – it will likely be a bumpy ride.

***** 

You can receive more insights into security awareness by signing up for the Security Smart Newsletter. The newsletter is an employee education program designed to help build security awareness by making security reminders and information fun, interesting, and engaging to all your employees; saving you and your organization precious time on your security awareness program. To learn more about the newsletter and the subscription options, please click here!