Why the California Consumer Privacy Act (CCPA) is Moving Organizations to a Trust Culture

Meeting and facilitating compliance with today’s modern data privacy regulations should be treated as a journey for enterprises, rather than a destination. It requires a shift in mindset, and the adoption of guiding principles and philosophies around privacy, both strategically and at a tactical level, touching not only the entire IT infrastructure, but also the processes and people that manage them. 

According to Gartner, “By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today.” The most recent data privacy regulation put into effect was the California Consumer Privacy Act, or CCPA. The CCPA regulation is the first of its kind in the United States, but rides off the coattails of the biggest data privacy law, the General Data Protection Regulation, or GDPR in the EU. These regulations are part of the ongoing global trend around data privacy concerns as businesses continue to collect data on consumers. 

What is the CCPA? 

The CCPA was enacted in 2018 and took effect on January 1, 2020. It gives California residents rights and protections regarding how businesses use their personal information. Under the CCPA, consumers have the following data privacy rights:

1. The right to know what personal data is being collected
2. The right to know whether their personal data is being sold
3. The right to say “No” to the sale of their personal data
4. The right to request that a business delete their personal data
5. The right to not be discriminated against for exercising their privacy rights 
    

Any organization that holds, manages, or transacts data on consumers that reside in the state of California and meets at least one of the below requirements, must comply with the CCPA: 

1. Generates $25 million USD or more in annual revenue
2. Buys or sells the personal information of 50,000 or more consumers, households, or devices
3. Earns more than half of its annual revenue selling consumers’ personal data 

What happens to companies that fail to meet compliance with the CCPA? Businesses can be fined. Fines range between $2,500 to $7,500 USD, depending on whether the violation was intentional or not. California is the first U.S. state with a comprehensive privacy law, but it is expected that other U.S. states or the federal government will come out with more mandates protecting the privacy of individuals. 

What do the CCPA and GDPR have in common? Overall, these two data privacy laws intertwine. When it comes to which bodies are regulated, CCPA is much more specific in territorial scope and reach versus the GDPR. Under the GDPR, data controllers and processors are to comply across the EU whereas the CCPA only requires companies doing business in California that can adhere to at least one of the requirements outlined above. 

How the CCPA Shifts Organizations to Adopt A Trust Culture

Another Gartner prediction, “By year-end 2022, more than 1 million organizations will have appointed a privacy officer (or data protection officer).” The Golden State's CCPA is the first piece of privacy legislation with teeth in the U.S. By giving consumers control over their personal information, it puts businesses at the mercy of “putting the customer first.” Organizations must reinvent the way they do business by asking themselves how to align compliance with their strategy rather than questioning how to get around compliance. 

What is spurring all these new privacy laws anyway? 

Non-compliance costs are more than just monetary. A brand’s reputation gets tarnished with any data breach when personal data gets compromised. Consumers are calling for legislation because they want to trust organizations with their personally identifiable information (PII). Businesses changing their mindset to “privacy by design” rather than “privacy by reaction” can help build brand equity and foster better customer relationships. 

Data breaches have become more frequent in today’s society, growing in both quantity and scope. There were 2,013 confirmed data breaches in 2019. The cyber attacks used in data breaches are being overtaken with ransomware, malware, phishing, and denial of service (DOS) attacks. These data breach channels are becoming harder to overcome. According to IBM, the average time to identify a breach was 206 days in 2019 while the average time to contain a breach was 73 days. As technology becomes more advanced, so do the actions by malicious actors. This is why state and federal governments are taking action to shape and enact laws protecting the rights of their citizens’ privacy. 

Complying with the CCPA, GDPR, and Future Regulations

Today, organizations are being reactive to data privacy regulations. A recent survey by TrustArc showed that 89% of companies reported an increased need for technology tools to help them meet CCPA compliance. Even if your organization is not affected, the regulatory environment is only growing, forcing businesses to have to comply one day with stringent privacy laws. You can get a head start toward complying with regulations such as the GDPR, CCPA and more by: 

• Analyzing your current IT infrastructure so you can create a data map of how data flows in and out of your organization 
• Creating a strong data management strategy that includes all the appropriate IT tools to help automate and lessen the burden of complying with how consumers want to opt-out and request their rights to access their data  
• Documenting your new data management strategy policies and procedures

The rise in data privacy regulations around the world are a culmination of people actively demanding privacy protection. Data is a commodity. It is now bought, sold, transferred and stored by businesses every day. Consumers want to feel like they have a say in what personal information businesses can collect, process, and disperse. Regulations like the CCPA are only the beginning of what’s to come in the U.S.