In case you didn’t hear, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Thanks to a slow news cycle the previous week, the topic garnered plenty of media coverage, with experts suggesting this is a game-changer for US-based privacy regulations. But, is anyone taking action on their CCPA initiative? Did you call your lawyer and put them on top of it? My guess is pin drops could be heard in boardrooms nationwide. So, why aren’t business leaders actually doing anything about it? Here’s the quick list:
- “We don’t have a big presence in California. I’d like to see them fine my company.”
- “We’re too small for the attorney general to go after us.”
- “Fines don’t start until June 2019? Let’s see who gets fined first; I know it won’t be us.”
- “We spent a ton of time and resources on GDPR (General Data Protection Regulation). It was the cost of doing business in the EU, but I feel it was a waste of time. They will never fine me.”
- “People complain about the usage of their online personal data at cocktail parties, but they are too lazy to actually do anything about it.”
Let’s go through these one by one.
- “We don’t have a presence in California, I’d like to see them fine my company.” – The CCPA states if you do business in California, i.e. have customers based there, you need to adhere to the law. But the concern makes sense. If a company has one customer from Vermont out of 1000, why would they spend a lot of time and money dealing with regulation in that state? These companies know California-based companies (mostly Big Tech) will be the first targeted.
- “We’re too small for the attorney general to go after us.” – Let’s say your revenue is under the $25M first qualification. For CCPA to apply to your business, you either need to have 50,000 personal identifiable information contact details or make 50% of your revenue from selling personally identifiable information (PII). I’ve talked to businesses that have more than 50,000 contacts in their CRM (customer relationship management) system, but believe it’s Salesforce’s or their cloud provider’s problem. Could they disable their accounts before a potential state audit and get away with it? Who knows? Regarding the third requirement that you get at least 50% of your revenue from selling data. Well, no one really wants to build a business on that these days, since so many people give away their data for free. This situation will likely be changed in CCPA 2.0 to deal with the problem of those who use your data to advertise.
- “Fines don’t start until June 2019? Let’s see who gets fined first; I know it won’t be us.” – The target is clear, and it’s Big Tech. I think we can agree those companies have more than enough lawyers and staff to deal with this. It’s the medium-sized companies that don’t have the controls in place yet. But is the attorney general really going to start sending auditors to their doorsteps to determine if they need to: 1.) Adhere to the law; and 2.) Prove they can’t deal with a request from a user to delete their data? Where is this techie government going to come from? Does the government have a budget to hire techies away from Big Tech? No.
- “We spent a ton of time and resources on GDPR, but I feel it was a waste of time.” – In May 2018, Google searches for GDPR peaked when everyone was freaking out about how to adhere to this new law. Most US companies with customers in the EU decided to create a cookie popup and call it a day. Others brought in compliance consultants who cost them months of productivity by changing their application’s technical controls, website, policies, and procedures. They believed the EU was going to come down hard and fast, and with the cultural differences, they didn’t want to upset their European customers. Well, the EU only has fined 33 companies so far. And only four were more than €1M: Google, Marriott, British Airways, and the ISP 1&1. (One of these 33 “companies” was an unnamed German police officer caught processing personal data for non-legal purposes.) So, the thought is, “let’s ride this out, and if the privacy police are coming, I’ll hear about it a few blocks away before I need to clean up my act.”
- “People complain about the usage of their online personal data at cocktail parties, but they are too lazy to actually do anything about it.” – When that ad pops up about a certain dog food because you asked your partner to buy dog food in earshot of Alexa, people say that’s weird - but that’s where it ends. The only time individuals have actually taken action is when they can get cold-hard cash. For example, when Experian set up the site for a $150 check for their breach, that moved the needle but it took a huge action from the feds to get that done. I bet you half of those who went to the site abandoned the process when they had to fill out more than one form.
Now, let’s play this out. A company that needs to be compliant with the CCPA receives a request (by phone or customer support form) from a user to delete the data. Then the company’s support rep replies with an email that the data has been deleted. Great. The company did its job to adhere to the law, but how does that individual confirm the deletion? How does the company know it really deleted the data? How about those thousands of backup snapshots that were created before the request? Is the customer going to file an official complaint or hope for the best? What will the government’s barometer be when it actually audits the company? For now, no one knows. And until then, there are too many competing priorities to deal with this CCPA thing.
If you are resource-constrained, hopefully, I’ve convinced you to spend your valuable time and money on other initiatives. However, there is one thing you should work on now to lay the groundwork for when the CCPA gets teeth. Cybersecurity. The quote, “You can’t have privacy without security,” rings true to most.
Here’s the interesting takeaway. Even though California has yet to give clarity around how to deal with the CCPA for the average company, they gave a few hints a few years back. In 2016, the first and only time for a state government, then-Attorney General Harris released a data breach report that gave California companies recommendations to adhere to existing and upcoming privacy regulations. Recommendation number one was to adhere to the cybersecurity CIS 20 standard. What does this mean? There are 20 “controls” in the framework that deals with everything IT security-wise and much more. Many in the industry believe this suggests that future compliance with the CCPA version 2.0 will require compliance based on the CIS 20. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that provide a "must-do, do-first" starting point for every company seeking to improve its cyber defense. A CIS 20 Risk Assessment is a great start to ensure you are ready when the CCPA gets real. The first step of any assessment is always an external vulnerability scan.
