It would be easy to be overwhelmed by the barrage of regulations and news surrounding consumer and employee privacy. The European Union made a big splash with their comprehensive privacy regulation known as the General Data Protection Regulation (GDPR), that became effective on May 25, 2018. While other nations and US states have passed their own regulations, none has generated more buzz than the California Consumer Privacy Act (CCPA). In this article we provide our insight into practical considerations and the potential impact of the CCPA.
Let’s break it down.
California is not like any other state so it would follow that their consumer privacy regulation would be different as well. First of all, California is an important place. On May 4, 2018 CBS News reported that “California now has the world’s 5th largest economy”. At the time of the article California had moved ahead of the United Kingdom with a gross domestic product for 2016 – 2017 estimated at over $2.7 trillion. This was confirmed by Business Insider on April 26, 2019 with “16 mind-blowing facts about California’s economy”, which noted that the state’s 39 million people made it the largest state economy and population.
No less a technological force than Microsoft has recognized the importance of California and the CCPA by announcing “Microsoft will honor California’s new privacy rights throughout the United States”. The company stated, “We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual. This is why, in 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union’s General Data Protection Regulation (GDPR) to customers around the world, not just to those in the EU who are covered by the regulation. Similarly, we will extend CCPA’s core rights for people to control their data to all our customers in the U.S.”
I found a few other interesting tidbits. While California’s regulation reaffirms some of the fundamentals (such as consumers own their own data, they are entitled to know what data organizations have, and are entitled to correct erroneous data, and have their data deleted when it is no longer needed), there are some other aspects of the law worth noting.
First of all, even though the law has been effective since January 1, 2020, it is still somewhat of a moving target and amendments are expected. In addition to the traditional rights, Californians have the right to know whether their personal information is being sold or disclosed to others and the right to prohibit that sale. Californians are entitled to equal service and price even if they exercise their privacy rights.
The categories of personal information under CCPA are much broader than mere Personally Identifiable Information (PII) normally associated with data that might enable identity theft.
A few examples of new variations include:
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
The law charges organizations to provide “reasonable” security for personal data and advises that the 20 controls recommended by the Center for Internet Security (CIS) would be considered reasonable data security.
When it comes to enforcement, so far there is no private right of action in the books for non-compliance, only AG enforcement of civil penalties. This does not mean that your organization will not be on the wrong end of a lawsuit.
Organizations that have not gone through a comprehensive review to determine what personal information they collect are advised to do so ASAP. Employers may not be aware of the collection of personal information. Collection can occur in a variety of ways: the recruiting process, on-boarding, diversity and inclusion programs, surveillance of all types, biometric time clocks and access control, psychometric assessments and travel profiles are good examples.
From a security perspective, there were several areas considered ‘low hanging fruit’ that are very likely to attract the attention of regulators. This includes the failure to encrypt information on portable devices, failure to encrypt personal information during transmission, lack of strong access control such as password discipline and two factor authentication and the lack of proper controls of destruction of personal information.
Protection of the privacy of consumer and employee information is a fundamental responsibility of organizations. The CCPA adds to the mix by expanding the scope of personal information and harnessing California’s economic power to facilitate data privacy protection.
Despite the CCPA’s complex requirements, with the right processes and technologies in place, you’ll be able to keep all your personal data safe, stay on the right side of the law, and be better equipped for other privacy regulation further down the line. And of course, avoiding the hefty fines that CCPA can cost companies will be a great help to any company.
About The Author:
Colonel (R) Lawrence D. Dietz is a nationally recognized expert in the areas of cyber security, cyber warfare, information security and intellectual property. Mr. Dietz is a licensed attorney and also provides litigation and legal support to our clients in these matters.
As a retired Army Reserve Colonel specializing in intelligence and PSYOPS, Mr. Dietz has over 30 years of diversified military and commercial information and cyber security experience. This unique knowledge combined with the thought leadership of academia enables Mr. Dietz to bring varied approaches and solutions to clients’ challenges.
TAL Global is an elite security consulting and risk management firm that protects human and physical assets around the globe; a team of world-class, interdisciplinary security experts who have had experience with these three types of threats as well as others. Please contact us to discuss how we can help you with your security needs. As always, we value your feedback to help us shape our perspective on the world around us and the services we offer.