The data act went into effect January 1st, 2020, subjecting U.S. businesses to a wide range of privacy regulations.
U.S. citizens have been rather shielded from the international privacy laws recently enacted in Europe and other countries. Americans’ data to date was held, and in some cases released, with very little penalty. As of January 1st, 2020, the California Consumer Privacy Act (CCPA) goes into effect, protecting Americans from companies selling, maintaining, or putting your data at risk. Aparavi will make the process of CCPA compliance and data collection easier by enabling organizations to quickly locate data impacted by this new law while protecting consumer data. Here are some important questions surrounding CCPA to help you decide how the law will affect you.
Consumers will now be in control of their own data being collected by businesses. Very similar to GDPR in Europe, consumers will now be able to request the removal of certain types of data, and companies will be required to provide more information on the types of data they collect. This should go a long way with consumer confidence if customers take advantage of the law. To date, very few GDPR requests have been in the mainstream media.
CCPA is a landmark regulation because it gives control back to the individual consumers and forces companies to manage collected data more carefully. If there is some sort of data breach or data leak, companies will be held accountable and penalties will be strict. To date, companies have had very little necessity to pay back the consumer in the event of some sort of security incident. This law will now give the consumer more confidence and allow companies that invest in good governance to build a trusted relationship with their customers, ensuring them that their data will be handled with care and managed properly.
What CCPA means is consumers will be able to ask anyone from Twitter to Walmart to disclose what data they are collecting, simply by using a website or phone number. Those companies will also have to include an option on their websites, profiles, or online retail forms that allow consumers to state, “Do not use my personal information for third party use.” Consumers can also request the company delete their data if asked to do so. Businesses will not be able to penalize consumers for refusing usage of personal information.
The California Consumer Privacy Act will apply to all organizations that do business within the state of California. Organizations will need to apply data privacy and protection to all consumer data for California residents. Consumers in California will have the ability to request their data be removed and not solicited. You will likely see most organizations who do business in California adjust their data handling methods nationally to address this compliance law.
This is in effect a national law for anyone that conducts business in any way with California. Other states, like New York and Florida, are soon to follow.
Companies maintain much more than just your name, address, and email. This can be attributed to apps and websites that track what we purchase and where we visit, and many online retailers and websites require you to assemble detailed profiles that describe exactly who you are. This information can include other types of data as well like family history and interests.
The new law will cover data types that contain a customer’s personal information. This data might include social media data or personally Identifiable information like addresses, phone numbers, and names. Other data might contain location or consumer information that was collected by third party companies.
One important aspect of the new act is that the it does NOT apply to medical data. Medical data is subject to CMIA or California Confidentiality of Medical Information Act. Nor does it apply to protected health information that might be gathered by allowed sources or organizational associates that are covered under the HIPAA privacy law’s breach and security rules. Additionally, entities subject to CMIA and/or HIPAA are not covered under CCPA if they maintain all patient information in the same manner they maintain medical information or protected health information subject to CMIA and HIPAA. CCPA also exempts information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act, as well as other exemptions.
Organizations will face fines and reputational damage that may be due to this violation. Fines would be levied in the thousands per incident and could become a huge burden if many violations are reported at any given time. Unlike the GDPR regulation where the fines could be 5% of a company’s yearly revenue, the fines for violating CCPA are a range depending on the severity. There is a provision in the law that releases the liability if the company remedies the problem quickly. Consumers will also be able to collect damages in a civil court per incident.
Some think that California may not have the resources to handle the law and all the potential cases that may arise. In effect, it could cause an influx of CCPA-related civil cases that will clog up the courts for years, in my opinion. However, I do believe this will give the consumer a means to force organizations to manage their customer data better than they have in the past. Organizations are going to need to find tools to classify, regulate, and remove data that poses a risk to their organization, which is not a practice they have today.
CCPA is only the beginning. New York and Florida are currently defining their own versions of this law, which may differ in key aspects while addressing the same broad concern. In the coming years, we will see most states enact some variation of these laws and apply stiff penalties for data breach or security incidents that put consumer data at risk.
Companies need to start managing their data more effectively, implementing data workflow applications that will maintain a proper data lifecycle, and adding elements of classification, data compliance, discovery and retention. Aparavi can be a key tool in data lifecycle management, helping your organization effectively manage risk-averse data types, and helping you to comply with these new laws and those yet to come.
Maintaining a proper data security posture to protect your high-risk customer data is what these new laws are demanding. Aparavi, with Data Awareness, enables collection, organization, classification, and management of your data, providing the governance needed under these regulations.
Global and national organizations must maintain a proper data security posture in order to continue to do business in the world moving forward. Today’s organizational data management processes are antiquated at best and will no longer provide adequate safety for an organization’s data. Data that is kept regarding customer or user data must be easy to locate, easy to search, easy to retrieve, and, more importantly, easy to dispose of when requested.
Most organizations that I continue to have discussions with are nowhere close to being prepared to produce or handle incoming data requests. Most have no idea how to even start the data collection process. Organizations will have to adopt proper data management strategies if they are to keep their organization’s data safe. They cannot afford to wait until challenged to deliver or act on data by a customer, or worse, by the government. Aparavi can deliver a solution to this challenge today.