California’s “CCPA” Has a Potentially Huge Footprint.
On June 28, 2018, The State of California passed into law a controversial landmark measure affecting not only the state of California but companies around the globe who have customers in that state. The California Consumer Privacy Act (CCPA) was drawn in direct response to the backlash from high-profile data breaches, as well as the increasing trend of mishandling personal data by brokers and marketing agencies. The CCPA, often compared with Europe’s General Data Protection Regulation (GDPR) was designed to protect consumers from maladministration of their private data by giving the consumer control over what data is shared or sold. But at what cost?
The new law is meant to protect California’s citizens but it doesn’t stop there. The law provides the California Attorney General with authorization to enforce it by imposing stiff fines on any company, regardless of its physical location, with over 50,000 customers who reside in California. With a population of nearly 40 million people and a state economy that would rank in the top ten of the world’s economies, if it were a stand-alone nation, this piece of legislation clearly has a huge footprint.
The law sides with consumer rights and empowers consumers with more control of their personal data. Consumers can choose if and how their information is shared, see what information is stored, and request that it be deleted. The law makes companies more accountable for their managing of data and allows for tough penalties for businesses that are not in compliance.
Given the scope of CCPA and the liabilities it creates, companies have cause for concern. The law is described by both those who oppose and support it as being very stringent. So much so that business owners around the country have eyes on the law, watching to see how it is handled before its effective date of January 1, 2020.
Proactive companies recognize the challenges created by the new standard and will act accordingly.
January 1, 2020, isn’t that far in the future. With the significance of this law so great, and the task of complying with its stipulations so essential, prudent companies are faced with a real challenge to uncover solutions. And solutions are what Fusion Risk Management is all about. We took an opportunity to talk with Cory Cowgill, technical architect and Chief Technology Officer at Fusion Risk Management, about the concerns raised by the CCPA and real-world answers to this unique challenge. Fusion helps companies prepare, manage, and act in any situation with their unique combination of consulting services and software solutions, including their award-winning software – the Fusion Framework System.
On the surface, it is easy to make a connection between the nature of CCPA with Europe’s GDPR. They have the same goal of protecting consumer information. Cowgill offered us some key differences between the laws that companies must consider.
“Although a lot of the core principles are the same as far as the right to data deletion, the right to understand what they’re doing with your data and the right to have your data be deleted – a lot of those fundamental rights enumerated in GDPR are in the California law,” he said.
Cowgill explained there are key differences in the data that is protected. Where GDPR has broad coverage, CCPA is very specific in scoping out Personally Identifiable Data that is protected under its provisions. The California law specifically mentions information like Social Security, bank account data, and credit card numbers.
Another key difference is that CCPA is very focused on consumers. GDPR is more general whereas CCPA is more concerned about how businesses are profiting from their customer’s data. A third important difference is that, under CCPA, companies who are found to be negligent can face much steeper fines. The GDPR has a maximum fine, where the CCPA allows for a “per instance” maximum of up to $7,500. Cowgill does advise that companies already compliant with GDPR are already “in good shape” to comply with the new CCPA standards and can achieve full compliance with some minor “tweaks” to their existing program.
There is a lot of mixed opinion on the California law. On one hand, the CCPA passed quickly with great support on both sides of the political spectrum. On the other hand, some insiders refer to it as being a fait accompli by the state, costly, and just another government regulation that hurts commerce. Despite varying opinions on the new law, it will be a reality in a little more than a year.
With the unique perspective of a Chief Technology Officer and as a leader in business continuity risk management, Cory’s insight is that this law, regardless of the current political climate, will most likely inspire similar federal legislation at some point in the future. A federally regulated standard would be easier for U.S.-based companies to successfully comply with, as opposed to a patchwork of separate state regulations.
How does a company that isn’t already organized to comply with GDPR standards set itself up for success under regulations like CCPA?
“Companies need to get organized and start reviewing this legislation and thinking about what data they are holding on to and how they are locking down that information,” Cowgill said. “It can be as simple as just getting started with a survey of your business units and examining what data is stored.”
Cowgill notes the importance of seeking out legal counsel to interpret the legislation and then working with a consulting firm to understand what measures are necessary. A plug and play system where you simply purchase a piece of software isn’t going to be enough to ensure compliance with these new regulations.
CCPA could very well be a part of the evolution of E-Commerce and a new sign of the times.
Regulatory measures like CCPA cause concern about the cost of doing business. The climate is changing when it comes to the demands customer have for how their information is handled. It’s likely that CCPA will change how all online business is done.
With its effective date looming, tech companies should have a sense of obligation to secure their customer information and consumers should have the right to request their information remain private. For this reason, and in relation to severe mishandling of data, it is inevitable that changes are on the horizon on a grand scale. Prudent ventures will realize the benefit of acting sooner rather than later to meet this demand for privacy.
By: Cody Bowcut, Contributing Editor