Category: Regulations

Why No One Cares About the CCPA

In case you didn’t hear, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Thanks to a slow news cycle the previous week, the topic garnered plenty of media coverage, with experts suggesting this is a game-changer for US-based privacy regulations. But, is anyone taking action on their CCPA initiative? Did you call your lawyer and put them on top of it? My guess is pin drops could be heard in boardrooms nationwide. So, why aren’t business leaders actually doing anything about it? Here’s the quick list:

  1. “We don’t have a big presence in California. I’d like to see them fine my company.”
  2. “We’re too small for the attorney general to go after us.”
  3. “Fines don’t start until June 2019? Let’s see who gets fined first; I know it won’t be us.”
  4. “We spent a ton of time and resources on GDPR (General Data Protection Regulation). It was the cost of doing business in the EU, but I feel it was a waste of time. They will never fine me.”
  5. “People complain about the usage of their online personal data at cocktail parties, but they are too lazy to actually do anything about it.”

Let’s go through these one by one.

  1.  “We don’t have a presence in California, I’d like to see them fine my company.” – The CCPA states if you do business in California, i.e. have customers based there, you need to adhere to the law. But the concern makes sense. If a company has one customer from Vermont out of 1000, why would they spend a lot of time and money dealing with regulation in that state? These companies know California-based companies (mostly Big Tech) will be the first targeted.  
  2. “We’re too small for the attorney general to go after us.” – Let’s say your revenue is under the $25M first qualification. For CCPA to apply to your business, you either need to have 50,000 personal identifiable information contact details or make 50% of your revenue from selling personally identifiable information (PII). I’ve talked to businesses that have more than 50,000 contacts in their CRM (customer relationship management) system, but believe it’s Salesforce’s or their cloud provider’s problem. Could they disable their accounts before a potential state audit and get away with it? Who knows? Regarding the third requirement that you get at least 50% of your revenue from selling data. Well, no one really wants to build a business on that these days, since so many people give away their data for free. This situation will likely be changed in CCPA 2.0 to deal with the problem of those who use your data to advertise. 
  3. “Fines don’t start until June 2019? Let’s see who gets fined first; I know it won’t be us.” – The target is clear, and it’s Big Tech. I think we can agree those companies have more than enough lawyers and staff to deal with this. It’s the medium-sized companies that don’t have the controls in place yet. But is the attorney general really going to start sending auditors to their doorsteps to determine if they need to: 1.) Adhere to the law; and 2.) Prove they can’t deal with a request from a user to delete their data? Where is this techie government going to come from? Does the government have a budget to hire techies away from Big Tech? No.
  4. “We spent a ton of time and resources on GDPR, but I feel it was a waste of time.” – In May 2018, Google searches for GDPR peaked when everyone was freaking out about how to adhere to this new law. Most US companies with customers in the EU decided to create a cookie popup and call it a day. Others brought in compliance consultants who cost them months of productivity by changing their application’s technical controls, website, policies, and procedures. They believed the EU was going to come down hard and fast, and with the cultural differences, they didn’t want to upset their European customers. Well, the EU only has fined 33 companies so far. And only four were more than €1M: Google, Marriott, British Airways, and the ISP 1&1. (One of these 33 “companies” was an unnamed German police officer caught processing personal data for non-legal purposes.) So, the thought is, “let’s ride this out, and if the privacy police are coming, I’ll hear about it a few blocks away before I need to clean up my act.”
  5. “People complain about the usage of their online personal data at cocktail parties, but they are too lazy to actually do anything about it.” – When that ad pops up about a certain dog food because you asked your partner to buy dog food in earshot of Alexa, people say that’s weird – but that’s where it ends. The only time individuals have actually taken action is when they can get cold-hard cash. For example, when Experian set up the site for a $150 check for their breach, that moved the needle but it took a huge action from the feds to get that done. I bet you half of those who went to the site abandoned the process when they had to fill out more than one form.  

Now, let’s play this out. A company that needs to be compliant with the CCPA receives a request (by phone or customer support form) from a user to delete the data. Then the company’s support rep replies with an email that the data has been deleted. Great. The company did its job to adhere to the law, but how does that individual confirm the deletion? How does the company know it really deleted the data? How about those thousands of backup snapshots that were created before the request? Is the customer going to file an official complaint or hope for the best?  What will the government’s barometer be when it actually audits the company? For now, no one knows. And until then, there are too many competing priorities to deal with this CCPA thing.

If you are resource-constrained, hopefully, I’ve convinced you to spend your valuable time and money on other initiatives. However, there is one thing you should work on now to lay the groundwork for when the CCPA gets teeth.  Cybersecurity.  The quote, “You can’t have privacy without security,” rings true to most.  

Here’s the interesting takeaway. Even though California has yet to give clarity around how to deal with the CCPA for the average company, they gave a few hints a few years back. In 2016, the first and only time for a state government, then-Attorney General Harris released a data breach report that gave California companies recommendations to adhere to existing and upcoming privacy regulations. Recommendation number one was to adhere to the cybersecurity CIS 20 standard. What does this mean? There are 20 “controls” in the framework that deals with everything IT security-wise and much more. Many in the industry believe this suggests that future compliance with the CCPA version 2.0 will require compliance based on the CIS 20. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every company seeking to improve its cyber defense. A CIS 20 Risk Assessment is a great start to ensure you are ready when the CCPA gets real. The first step of any assessment is always an external vulnerability scan.

Read More
How A Risk Assessment Can Help You Stay In Line With the CCPA

What You Want To Know

You want to provide your customers with the best service you can. You’ve depended on your consumers’ personally identifiable information (PPI) to provide them with exceptional service. Now with California Consumer Privacy Act (CCPA)  around the corner, you’ve got to be prepared by January 2020; a risk assessment will help you get there. 

In short, CCPA is the new regulation regarding consumer’s control of their personal information and its moving data security to the forefront. CCPA has businesses scrambling to figure out what consumers can request, what the penalties are, and what they can do to ease the process. No need to worry, we’ve simplified the data points for you. 

How The Act Gives Consumers Control

This new regulation is amplifying your consumer’s privacy rights. CCPA allows them to know what personal information is collected, deny the sharing or selling of their personal information, and pursue legal action against firms who do not comply. It’s best to consider these three points to ensure you understand what consumers can request.

  1. Providing consumers with the right to request a business to provide information on the categories of personal data it collects.
  2. Enabling consumers to opt-out from businesses selling their data to third parties. Every company must provide notice before using consumer data for other reasons.
  3. Imposing penalties and fines for businesses that fail to implement adequate safeguards for securing PII data against breaches and unauthorized disclosures.
Consumers now have control over their data. Shouldn’t you?

Are You Affected By CCPA?

If you’re worried about whether or not CCPA affects you, keep reading. This new regulation will affect most companies; if you: 

  1. Has annual gross revenues in excess of $25 million;
  2. Possesses the personal information of 50,000 or more consumers, households, or devices; or
  3. Earns more than half of its annual revenue from selling consumers’ personal information.

If your business matches only one of these qualifications, the CCPA will affect you. If it sounds like your business, you must begin making the necessary changes. Since the California Consumer Privacy Act is meant to enhance the privacy rights and protect data belonging to California residents; it has businesses changing their business strategy centered around data security.

What Compliance Entails For You 

We want to make sure your company complies with the new regulation; that means making sure your company has shifted gears in the right direction. So, here’s what you should do. Begin by developing and maintaining transparent data policies. This way, your business can quickly provide explicit responses to your consumers’ requests regarding their data. Increase your efficiency with CCPA by ensuring all data handlers possess sufficient knowledge of the act’s provisions. If your data handlers aren’t well informed of CCPA’s provisions, make sure they get informed or get new data handlers. You don’t need a massive security breach on your hands due to inadequacies. Also, start implementing adequate measures for securing information systems and PII data. You’ll want to make sure that data is protected; otherwise, you’d fall under non-compliance, and you don’t need that. Lastly, maintain an organized system for collecting consumer data. We recommend this approach because it will allow you to provide quick and accurate reports to your consumers, which translates to fewer headaches and less time spent.

CCPA compliance is an important step in ensuring your company’s success.

Your Next Step

The last thing your business needs is an absurd amount of fines due to non-compliance or insufficient security practices. Your business can be liable to suffer up to $7,500 per violation if legal action is pursued by the government and between $1,000 – $3,000 if pursued by a consumer. A non-compliance with CCPA can damage your brand and get your consumers to lose trust in your business. You need a clear path ensuring your business’ success.  Framework Security uses a collaborative cloud-based platform to manage our client’s compliance with the 51 controls in the CCPA. Get in touch for an assessment today.

Read More