California's new data privacy law could inject more regulation, leaves tech industry wary

The CCPA brings in a new wave of regulations to secure user privacy. Are more steps coming?

Posted by Mathias Klenk

With rising usage of data, regulators are looking to increase the stakes for data security and its privacy. Several states and government bodies are starting to show they mean business when it comes to data protection.

While the European Union implemented the General Data Protection Regulation (GDPR) last year, there are proposals to change the United States’ data privacy landscape.

The California Consumer Privacy Act (CCPA), which is set to be implemented on January 1, 2020, carries several perks for consumers - ones that include giving consumers control over their data. Compared to GDPR, CCPA carries stricter regulations.

The law requires companies to be more transparent and give users the ability to download and delete their data. Better yet, the Privacy Act provides users the chance to opt-out of sharing their data with third parties, and demands significant changes to a company’s operations.

While the data proposal may give regulatory and legal bodies sharper teeth, the tech industry thinks it could spell disaster for the companies.

“A private right of action on a law that is not yet cooked would be a disaster,” Sarah Boot, a lobbyist for the California Chamber of Commerce said at a hearing about the CCPA. “It would be a class-action bonanza” she remarked.

Many organizations are left with less than a year to create and enforce compliance programs. The privacy changes will equip consumers with the right to private action - but could potentially leave companies hampered if the move triggers an onslaught of privacy lawsuits against them.

It would allow users to sue companies such as Google and Facebook for monetary damages if they violate the law. Under the new law, companies can face penalties up to $7,500 if they fail to comply. It will give firms a 30-day window period to fix any wrongdoing before they face the consequences.

More regulations to come?

The move comes at a time when there is increasing backlash over the ways in which Facebook handles data privacy. The tech giant came under scanner after admitting that it exposed passwords belonging to more than 600 million users.

The incident came to light during a security review in January, when they found that the passwords were stored in a readable format in their servers. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Pedro Canahuati, VP of engineering, security and privacy said in a blog. Although the issue has been fixed, over 20,000 Facebook employees had access to users’ personal data.

Given the company’s track record for data breaches and leaks, the public argued that companies should face stricter penalties when they wrongly disclose data of tens of millions of people.

What’s alarming is the fact that Facebook made about $35 in its recent quarter from each of its U.S. and Canadian users. This raises concerns over companies selling user information without their authorization - concerns which the CCPA hopes to negate with the new law.

What can we expect next?

However, reports suggest that the companies aren’t ready yet - a significant majority have a long way to go when it comes to implementing compliant-friendly tools. Companies will have to channel fresh investments into technology tools, and some expect to spend over $1 million towards ensuring compliance measures are in place.

For companies that operate across both Europe and the United States, six-figure expenses are bound to hit their budgets. This is assuming they only deal with one state. Other states such as Washington and Massachusetts are also looking at developing their own state laws.

Most companies are stranded in the exploration phase, trying to understand what exactly they need to do to match the CCPA’s requirements. Investing in CCPA-focused tech solutions can help companies understand how they’re impacted, plan effectively and allocate the right amount of capital to meet the new law’s requirements before the January 1, 2020 deadline.

Enjoyed reading this article? Share this with you colleagues.