CCPA Compliance: Maintaining security to combat increasing threats to privacy
Already 2019 is seen as a very significant year for data privacy. Companies now have less than 12 months to ensure they comply with the new California Consumer Privacy Act (CCPA). There have already been record financial penalties issued, including the €50 million ($57 million) fine imposed on Google, under the General Data Protection Regulation (GDPR).
Feedback from numerous businesses indicate they are taking data privacy laws extremely seriously. Recent latest Google example brings home the point that noncompliance means stiff penalties and unwanted publicity.
This doesn’t mean we haven’t seen huge fines for noncompliance before, like the $16 million settlement by Anthem Inc. That was in relation to a data breach back in 2015. hackers managed to gain access to the Electronic Protected Health Information (ePHI) of some 79 million people. And while we’re no longer shocked to read about data breaches in the news, the massive fine imposed on Google on January 21 goes to show how the increase in data privacy incidents have highlighted the importance of data security.
But don’t think for a minute that Google was fined because they were negligent or reckless with peoples’ data, or that the tech giant had suffered a data breach. It was fined because of the way they allowed partners to use the data collected. Google gave consumers clear information on how their data was being used, as well as a clear and concise way to opt out, if they chose to.
Most data breach stories appear to focus on how well (or not) data was is protected, rather than how peoples’ information is collected, used and then deleted when it is no longer required. Data Privacy is about only using collected data for a specific purpose, and only used for the time it is needed, whilst acknowledging that the true owner is the ‘data subject’. It’s very much about monitoring legitimate and authorized access, along with the specified use of that personal data. On the other hand, Data Security concerns the technologies and processes deployed, for ensuring authorized access only, and preventing all unauthorized attempts to access data.
California Consumer Privacy Act
Like the European Union’s GDPR, the CCPA is based on the principle that data privacy is a fundamental right of every consumer and is the means by which the consumer can control their own Personal Information. The legislation provides the following consumer rights:
The right to:
know what data is being/has been collected, processed;
know how long their data is being stored;
see their data in a readable format;
have errors in their data corrected;
receive a copy of their data in a portable format;
be forgotten - and have all their identified data deleted;
be notified of a data breach in a timely manner.
The primary objective of the CCPA is clearly data privacy. However, there is still a great deal of confusion among both consumers, and organizations that are required to comply with its rules. Compliance represents a major challenge, in terms of keeping up with the legislation and amendments to the law - as most EU companies will testify, from their experience with the GDPR.
Moreover, Data Privacy is inextricably linked to Data Protection, when notifying of a data breach, or recovering from a breach. The GDPR clearly defines the steps which must be taken, as well as the penalties that can be imposed, in the event of a breach. The CCPA shadows some of the strictest breach notification laws already ‘on the books’ in the state of California.
At the present time, just about every state across the U.S. has some legislation pertaining to the protection of personal data, along with documented requirements and correct procedures for breach notification. And while Data Security represents a vital part of these regulations, the requirements for Data Protection are somewhat broad-based and far less defined.
It is crucial that we all have a clear understanding of privacy rights and their related procedures defined in the CCPA.
Notice: This article is intended as general information only and does not constitute legal advice.
Please consult with a professional data privacy practitioner.