California took bold steps to protect consumer data in 2018 with the California Consumer Privacy Act (CCPA), the first U.S. data privacy regulation that promised strict oversight and severe financial risk for businesses. This landmark legislation increased awareness about the need to protect consumer data and the individual rights of a user. It took steps toward greater transparency by regulating how companies collect and use consumer data.
California voters showed they were completely on board with the law by recently voting to create the California Privacy Protection Agency and expand the CCPA through the California Privacy Rights Act (CPRA), which will take effect on January 1, 2023.
The new law broadens the existing CCPA definition of an individual’s sensitive data to include any information reasonably capable of being associated with a person. The new law also makes it easier for consumers to regulate the processing of sensitive information.
What this means is that companies are forced, once again, to take stock of their data management and cybersecurity processes and create best practices. This includes regular assessments of data across its entire lifecycle to evaluate the value of that information to the organization and to determine whether it should be appropriately sanitized or stored securely.
Also see: Best Data Analytics Tools
Far-Reaching Privacy Law
There may be some confusion about CCPA compliance, but make no mistake, any business that meets certain criteria—no matter where it’s located—must comply with the law if it wants to do business in California. With a population of 39 million, the number one economy in the U.S., and a growth rate only exceeded by China, California is a highly desirable market for businesses around the world.
Companies that must comply with the CCPA include those that operate for profit and that determine the purposes and means of data processing. Furthermore, they exceed at least one of the following three revenue/information processing thresholds:
- Have annual gross revenues of $25 million (USD) or more.
- Derives 50% or more of its annual revenue from selling or sharing California residents’ personal information.
- Annually buys, sells, or shares the personal information of 100,000 or more California residents or households.
Also see: Top Business Intelligence Software
Achieving CCPA Compliance Through Data Management Best Practices
One goal of the expanded law is to create greater trust among consumers by assuring that their data will not be mishandled. To accomplish this, the CPRA expands upon the CCPA by setting limitations on the collection, storage, and usage of personal and sensitive data beyond a certain time frame that’s been agreed upon with the consumer.
Some of the key changes to keep in mind include:
- The collection, use, retention, and sharing of personal information must achieve the purposes for which the personal information was collected. This will require the regular assessment of data across its entire lifecycle to evaluate the value of the information to the organization and to determine whether it should be sanitized or securely stored.
- A comprehensive audit trail of data across its lifecycle, from point of collection to sanitization, must be maintained. This will allow data to be accounted for in the unfortunate event of a data breach.
- Consumers will have the right to correct inaccurate information and limit the use of sensitive personal information.
- The new law also expands the right of access to cover information collected over a longer period of time and removes exceptions that allow businesses to refuse deletion requests.
Chances are that all of the above will require companies to adapt their current processes and implement best-in-class data management practices.
Also see: Data Mining Techniques
Better Enforcement, Stiffer Fines
The consequences of non-compliance are stiff. The California Protection Agency in conjunction with the California Attorney’s Office will be empowered to bring both civil and administrative enforcement actions against any business suspected of violating the updated CCPA law, starting on July 1, 2023.
Business owners found in violation of the CCPA could face administration fines of up to $2,500 for each violation and up to $7,500 for each intentional violation. Penalties for misuse of a child’s information are especially heavy.
Non-compliance related to processing a minor’s personal information, such as requiring opt-in consent from either the minor (if between 13 and 15 years of age) or their parent/guardian (if 12 or under), have tripled for negligent violations involving children aged 16 and under.
Also see: Real Time Data Management Trends
A Win for Consumers and Businesses
The bottom line is that the CCPA is a good thing for consumers. The measures in the original CCPA, as well as requirements associated with the new and improved version, are meant to protect consumers’ personal data. Together they give consumers a high level of control over how their data is used and what it’s used for, including its monetization.
Businesses benefit as well. Because the new CCPA will require many businesses to revise their data management and security practices, including how and when they implement regular sanitization as a preventative practice, they will reduce their threat attack surface and mitigate the risk of fines due to potential legal actions.
With less than a year to prepare for the expanded CCPA regulations, businesses must move now to create new policies that meet California’s new mandates. Organizations that take the original CCPA and the amended version of the law seriously by adapting their data management processes, including data sanitization and cybersecurity protections, will stay out of the crosshairs of the CPRA. Additionally, they will create strong customer relationships built on mutual trust and respect for consumer privacy.
Also see: Top Digital Transformation Companies
About the Author:
Fredrik Forslund, VP of Cloud and Data Center Erasure, Blancco