The California Consumer Privacy Act (CCPA)

First off…Why do we care?

Well, we care because this CCPA is a stringent and vital measure taken in response to an often underestimated hazard. I’m referring to our exposure to the ever-increasing digital world that shows no signs of slowing down. Even before the spread of COVID19 began a massive shift to more electronic/remote methodologies and solutions, people, businesses, and governments were calling for tighter cyber security to balance this rising market.

Holding the trophy as the most strict data privacy act in the United States, momentum was gained for this law enactment likely through the 2018 passing of the GDPR (General Data Protection Regulation) in the EU. The GDPR is similar in that it also pertains to data privacy law, but they are not equivalent.

But why now?

Social media platforms are an enormous chunk of the American life. For many, it’s a primary and sole source of news. The 2016 presidential election in the US brought to focus the sobering truth that our psyches are being toyed with. Often, it’s subliminal or “seeded” so slightly that all it does it create an odd feeling, an unusual feeling, maybe a doubt that wasn’t there before. There is factual data revealing that these advertisements, articles, videos, etc are intentionally and strategically placed through algorithms, with much time and effort put into the carefully tailored methods and to whom they would appear. Manipulation of the emotions and mentality and “seeding” your thoughts…for a hidden and strategized end game.

These truths coming to light have heightened the public demand for security around our digital platforms, assets, and data. If entities or companies or politicians can wreak havoc on our mind and beliefs, why not the other parts of our world? Finances? Medical records? Careers? And the most basic and precious aspect of our lives - identity? Personal data is the new gold.

Your smartphone, computer, tablet, really just anything where you pass information to an outside source electronically creates a bridge from which your personal information is passed along. It can be hard to grasp the full nature of these “digital pathways” and many people feel like what happens to their personal data is outside their control.

From the CONSUMER perspective: “How exactly is this Act holding companies more accountable? How does that help me?”

The CCPA is a pioneering step enacted by the state of California with the intent of bringing more visibility and more control over that core question: What happens to your personal information once you’ve provided it?

It is a defensive action, protecting consumers from the unwanted sale of their information, and holding companies to an elevated security standard to protect your information by enacting serious consequences for not following this law. The CCPA is looking out for your best interests!

It requires that the companies meeting the defined criteria provide a clear “Do Not Sell My Personal Data” link on their homepage. The CCPA also necessitates (among other things) that they disclose in their privacy policy the type of information and purpose of it, and to whom and why they are selling your data. So even if you missed the opt-out option, the state government is still looking out for your personal privacy.

From a COMPANY perspective: “Why should I take steps for my company to be compliant? What consequences would I face?”

Your company is likely already familiar with the CalOPPA (California Online Privacy Protection Act). While CalOPPA and CCPA have some similarities, it is important to note key distinctions in their directives. Your privacy policy must include specifics about your methods for collecting and selling an individual’s personal information, including how a consumer is able to opt-out entirely, erase their information from your database, and your security process in place for verifying the identity of that person making said request.

As far as consequences…the CCPA can be a VERY expensive law to break! First off, it grants consumers the right to sue if there is a breach and unauthorized use of their personal data. In addition, there are also civil penalties. After receiving notification of your noncompliance, if you have not taken steps towards rectification within 30 days, the California Attorney General will initiate a civil case against you. By doing so, a fine of up to a $7500 per violation can be imposed if a data breach has been made. So if you violate the CCPA rights of 1000 of your users, that’s $7.5 million! And even if there has been NO data breach, the AG can still prosecute your business. Safe to say it’s worth the effort to be in compliance.

From a BIG PICTURE perspective…or some “End Takeaways:”

Businesses out there are collecting your personal information through cookies, algorithms, and a variety of other ways. Your favorite department store, the college you attended in a different state, the local car dealer where you just purchased a new vehicle, the office you go to get your taxes done. It’s just the nature of the animal.

I hope this to be the first of many security-enhancing measures that will be implemented across the States…or a “change in the wind,” if you will. With more and more businesses moving to digital means of providing their services, a resounding response in the security and defense of those new pathways is needed.

At least for those that know what’s best for business integrity and business longevity.

The writing is on the wall, folks.

For learning more about Governance, Risk and Compliance security services from ProtectedIT contact us here.