Preparing for the Start of CCPA Enforcement
The California Consumer Privacy Act (CCPA) is one of the most well-known recent data protection laws. While passed a while ago, the law went into effect on January 1, 2020, and enforcement of the law will begin on July 1, 2020.
Under the CCPA, organizations have a number of new data protection responsibilities, similar to those put in place under the General Data Protection Regulation (GDPR). Complying with the CCPA requires organizations to understand these new responsibilities and implement solutions for achieving, maintaining, and demonstrating compliance.
Business Requirements Under the CCPA
The CCPA is designed to provide California’s citizens with additional protections for their personal data that is collected and used by businesses. As a result, organizations impacted by the CCPA have new requirements and responsibilities that they must be prepared to comply with once enforcement of CCPA begins in July 2020.
- Protection of Sensitive Data
One of the primary responsibilities that organizations have under the CCPA is to protect the personal data that they collect in the course of doing business. The personal data protected under the CCPA includes anything that could be used to uniquely identify an individual or a household.
A good first step in protecting this sensitive data is to minimize the use of it throughout the organization. Solutions such as tokenization can enable an organization to replace actual data with a realistic but unrelated “token”. By replacing data with tokens, an organization can maintain the current configuration of many existing systems while simplifying the processes associated with maintaining and demonstrating regulatory compliance.
For applications where the original data is essential, an organization must implement the controls that are required under the CCPA. These include solutions for maintaining visibility into sensitive data and controlling access to it based upon a “need to know” policy.
- Responding to Subject Rights Requests (SRRs)
The CCPA provides data subjects with a number of rights similar to those implemented under the GDPR. Among these are the ability to revoke consent for processing of the data subject’s personal data, request access to the data collected regarding an individual, and to request deletion of all collected data. In order to maintain compliance with the regulation (which includes response deadlines), an organization should have procedures and tools in place to enable rapid response to these requests.
A crucial component of this is the ability to determine the complete scope of usage of an individual’s data within the organization. Attempting to collect this information manually is one of the main drivers behind the cost of responding to SRR requests. According to Gartner, the average cost of responding to a Data Subject Access Request (DSAR) – the GDPR equivalent of a CCPA SRR – is roughly $1,400 per request. Additionally, responding to a single DSAR can take an organization two to three weeks, approximately half of the time allocated for a response under CCPA.
As CCPA and similar regulations come into effect and gain visibility, the number of requests that organizations will be required to comply with will only grow. In order to prepare for the impending start of enforcement of CCPA, organizations should invest in solutions that automate some or all of the workload associated with processing and responding to DSAR requests. A reliance on manual processing is more time-consuming, expensive, and risks errors or oversights that could prompt additional follow-up requests at the organization’s expense.
- Determining Reporting Requirements
While no organization wishes to be the target of a data breach, data breaches are becoming increasingly common. In 2019, 1,473 data breaches were reported, an average of over four data breaches each day.
As new data protection laws go into effect, an organization has additional reporting requirements.
In order to prepare for CCPA enforcement, organizations must be aware of what is considered a reportable breach under CCPA and their associated responsibilities. While CCPA lacks the 72-hour reporting deadline associated with the GDPR, breaches affecting individuals or households protected under the CCPA must be reported to regulatory authorities and may carry regulatory penalties.
Preparing for CCPA and the Future
The start of enforcement of CCPA should be a formality for many organizations. Since the CCPA was passed some time ago and went into effect six months earlier, companies have had ample time to prepare. This advance preparation is essential in some cases as CCPA SRRs can request data for the previous twelve months.
For those organizations that have not been proactive in learning about and achieving compliance with their new regulatory responsibilities, the time has come to do so. Under the CCPA, an organization can incur significant penalties for non-compliance, including fines of up to $7,500 per violation. In the event of a breach, customers can request payment damages of up to $750 per customer per incident or the actual damages associated with the breach, whichever is higher. This per-record approach to damages can make breaches covered under the CCPA extremely expensive for an organization.
By preparing for enforcement of the CCPA, organizations also prepare themselves for other data protection regulations as well. In recent years, the trend has been toward regulations that grant consumers privileges similar to those provided to EU citizens under the GDPR. Putting the infrastructure in place now to meet the requirements for data security and responses to DSARs and SRRs can save an organization a significant amount of time and money in the long term.