More and more legislation is being created at the state level that is aimed at protecting consumer information. This is great news for the average American, but it also has implications for businesses that may not have the most sophisticated cybersecurity practices.
The California Consumer Privacy Act (CCPA) is a new law that goes into effect January 1, 2020 and applies to organizations that fit into one of these categories:
- Revenue is $25 million or more
- Generate 50% of annual revenue from selling personal information
- Buys, receives, sells or shares personal information for 50,000+ consumers
That means companies need to fit only one of the above descriptions in order to fall under CCPA requirements.
If your business prepared for GDPR, you are on the right track. However, the CCPA goes a step further in protecting Personal Identifiable Information (PII) and the possible fines can come from individuals, not just regulatory bodies. This could lead to more lawsuits and fines if a company is not in compliance.
For California residents, this means they will now have more privacy rights and have more control over their data and how companies use it.
To protect consumers, the CCPA compliance addresses four areas:
- Access to their personal data
- User control gives them the right to have their data deleted
- Protection of how their personal data is being utilized or shared
- Non-discrimination for exercising their privacy rights
To comply, businesses will not only need to look internally at their practices, but also consider any third parties they partner with to confirm that they are also in compliance with the new law. This is where an agnostic third-party consultant is helpful in reviewing or crafting vendor cybersecurity requests to confirm everyone is following the new law.
This legislation is specific to California, but many other states are implementing similar laws to protect consumers. In New York State, the second part of the SHIELD Act goes into effect in March and puts forth similar privacy protections.
The best way to comply with the CCPA is to show cybersecurity due diligence by being proactive in your cybersecurity best practices. Getting help from a managed cybersecurity company can assist with building out policy and procedures that comply with the law, as well as align with compliance frameworks such as NIST, CIS Critical Controls, or SOC.
The goal of this law, and similar ones in other states, is to ensure companies are working diligently to protect consumer data. And by protecting consumer data, companies can also build favorable public perception and positive brand management.
We know that more and more states will be adopting laws and practices to protect personal data and company data. It is best to be on the leading edge of cybersecurity rather than take a reactive approach after a business-impacting incident has occurred.
The CCPA helps reinforce that protecting data goes well beyond the IT department and should be an organizational focus, driven by leadership with the goal of being good stewards of the company data.