CCPA will go into effect on Jan. 1, 2020. Take action now.
As goes California, so goes the nation. Therefore, it should not surprise us that the first state in the union to create a law to protect citizen privacy is California.
The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020. With the New Year, businesses that meet the threshold for CCPA compliance must protect the privacy of Californians by honoring several rights, including the Right to Access, Right to Know, Right to Opt-Out and Right to Deletion.
With seven or so months before the enactment of CCPA, here’s how to prepare for compliance.
Does CCPA apply to your company?
CCPA defines covered entities as doing business in the state of California and that satisfy one or more of the following thresholds:
- Gross revenue in excess of $25 million
- Receives personal information on 50,000 or more consumers
- Derives 50 percent or more annual revenue from selling consumers’ personal information
If your business isn’t located in California, do you have to comply with CCPA? If you do business over the Internet and meet one of the thresholds, the answer is likely yes. Also, as many as 11 states have privacy regulations in the works, but don’t expect a federal statute to clarify the clutter with privacy anytime soon. As one law firm that specializes in privacy and security put it, “federal preemption of state privacy laws remains a matter of significant controversy, and a bill with bipartisan support would likely have to contain many of the already-existing rights and obligations under CCPA.”
Like it or not, privacy regulation is coming to the US. Ramping up for CCPA will aid compliance with other state privacy laws and even a federal privacy law. The challenge? It’s a bigger deal than you may realize.
Privacy’s Pandora’s Box
What makes CCPA challenging is it isn’t just about compliance. It’s a regulation that also opens organizations up to multiple areas of risk due to the reach of the requirements. As a result, CCPA impacts processes for IT, information security, third parties, identity management, vulnerability remediation and incident response.
In meeting the requirements for CCPA, you must “detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. Also, debug to identify and repair errors that impair existing intended functionality.” (1798.100. D2-3)
Delivering on consumer rights like opt-out and deletion isn’t just about communicating intention. You must as CCPA states: “subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.” (1798.100. S-3) The objective is to bring permanence to the consumer request.
Bottom line: you’ll need consumer-facing and back-office processes for protecting personally identifiable information and honoring requests from data subjects like issuing disclosures and answering consumer requests. That’s true whether the data resides with the company or with a third party.
Enlist the right technology for CCPA
Many companies have a bunch of technology tools in use. Most excel at their one-off responsibilities. For CCPA requirements that are broad and encompassing, you don’t need yet another single purpose tool.
You need a technology platform that is ideal for managing compliance and performs integrated risk management. Such a platform automatically integrates data from configuration monitoring and vulnerability scanners, streamlines assessments of third parties, simplifies policy management and facilitates incident response, reporting and collaboration with stakeholders.
No regulation is set in stone, and it’s especially true with CCPA. The right platform is agile, enabling you to adapt when privacy regulations change or new regulations are enacted, which is a near certainty with US state or federal privacy. The platform lets you focus on your business, not new privacy regulations.
January 1, 2020 will be here soon. And with it will come the first in the union privacy regulation. You can expect more states to follow and more mayhem from Washington. Take the best practice route by creating new processes and implementing the right technology that can integrate multiple risk areas and streamline privacy compliance.
Learn some practical steps to getting in control of PCI compliance.
Learn about NERC’s record fine, the causes and what can be done to prevent it with a healthy compliance management program.
March 1, 2019 is the deadline for covered entities to comply with the final phase of 23 NYCRR 500. Is your organization ready?