With rising usage of data, regulators are looking to increase the stakes for data security and its privacy. Several states and government bodies are starting to show they mean business when it comes to data protection.
The California Consumer Privacy Act (CCPA) is set to be implemented on January 1, 2020, carries several perks for consumers - ones that include giving consumers control over their data. Compared to the EU’s GDPR, CCPA carries stricter regulations.
The law requires companies to be more transparent and give users the ability to download and delete their data. The CCPA provides users the chance to opt out of sharing their data with third parties and demands significant changes to a company’s operations.
While the data proposal may give regulatory and legal bodies sharper teeth, the tech industry the short time span for implementation creates significant challenges for companies.
Many organizations are left with less than a year to create and enforce CCPA compliance programs. The privacy changes will equip consumers with the right to private action - but could potentially leave companies hampered if the move triggers an onslaught of privacy lawsuits against them.
It would allow users to sue companies such as Google and Facebook for monetary damages if they violate the law. Under the new law, companies could face heavy penalties per incident in class action lawsuits. It will give firms a 30-day window period to fix any wrongdoing before they face the consequences.
More regulations to come?
The move comes at a time when there is increasing backlash over the ways in which Facebook handles data privacy. The tech giant came under scanner after admitting that it exposed passwords belonging to more than 600 million users.
The incident came to light during a security review in January, when they found that the passwords were stored in a readable format in their servers. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Pedro Canahuati, VP of engineering, security and privacy said in a blog. Although the issue has been fixed, over 20,000 Facebook employees had access to users’ personal data.
Given the company’s track record for data breaches and leaks, the public argued that companies should face stricter penalties when they wrongly disclose data of tens of millions of people.
What’s alarming is the fact that Facebook made about $35 in its recent quarter from each of its U.S. and Canadian users. This raises concerns over companies selling user information without their authorization - concerns which the CCPA hopes to negate with the new law.
What can we expect next?
However, reports suggest that the companies aren’t ready yet - a significant majority have a long way to go when it comes to implementing compliant-friendly tools. Companies will have to channel fresh investments into technology tools, and some expect to spend over $1 million towards ensuring compliance measures are in place.
For companies that operate across both Europe and the United States, six-figure expenses are bound to hit their budgets. This is assuming they only deal with one state. Other states such as Washington and Massachusetts are also looking at developing their own state laws.
Most companies are stranded in the exploration phase, trying to understand what exactly they need to do to match the CCPA’s requirements. Investing in CCPA-focused tech solutions can help companies understand how they’re impacted, plan effectively and allocate the right amount of capital to meet the new law’s requirements before the January 1, 2020 deadline.
What can companies do?
The CCPA is meant to protect consumers from having their private information sold by companies. Companies should begin by having an audit of how they handle their users’ personal information, review and improve record-keeping practices, making it easier for consumers to exercise their rights, and update their privacy policy.
Compliance, product and security teams can work together to update services to be compliant with the CCPA, bearing in mind the key privacy provisions and consumer rights:
- General disclosure: viewing a publicly available privacy policy describing a person’s rights and the types of personal information collected and disclosed within the last 12 months
- Right to know: to request details about the data that has been collected, used, shared and sold, and the reasons behind those actions in the last 12 months
- Right of access and portability: receive the information covered by the “right to know” free of charge from a business within 45 days of a documented request.
- Right to opt out: at any time request that their personal information not be sold by a business that otherwise lawfully sells personal information to third parties
- Right to be deleted or forgotten: ask a business to delete all of their personal information that they have collected about them across any span of time.
- Right to nondiscrimination: not be retaliated against in any way for exercising their rights under the CCPA by the business (such as denial of service, differing prices or quality of goods and services)
- Private right of action: to file lawsuits to recover damages in the event of a breach of the CCPA
- Restrictions on collecting data of minors: minors’ information cannot be sold by businesses unless they are specifically given consent to do so.
As companies take steps to update their policies and handling of data to be compliant, product teams can begin to incorporate privacy-focused features. These features, such as explicit opt in, will help companies build trust with end users and consumers. While being CCPA compliant can remain a challenge, businesses that are successful and communicative with consumers will be able to get ahead of the pack and grow.
