https://www.techtarget.com/searchsecurity/tip/Privacy-controls-to-meet-CCPA-compliance-requirements
The California Consumer Privacy Act went into effect on Jan. 1, 2020, and is the first of potentially many state laws that impact the way businesses manage consumer and customer data. This trend has prompted many CIOs and compliance officers to start scrambling to check their risk management programs for privacy regulation coverage.
Similar to the GDPR launched by the European Union in 2018, CCPA forces businesses that sell products and services to California-based customers to take a close look at how they protect consumer privacy and manage consumer data. It's not enough to simply deploy security measures to prevent cyberattacks. Businesses must now also implement controls for how they handle customer data coming in, being stored and ultimately retired.
Unlike GDPR, CCPA does not provide consumers with the right to correct inaccurate personal data, restrict processing or object to data processing. However, CCPA includes two major requirements businesses must adhere to:
CCPA also requires businesses to collect advance consent from consumers under the age of 16 to sell their data. If a consumer is under the age of 13, consent must be given by a parent or guardian. In addition, businesses must treat all customers equally in relation to the price charged for products and services, regardless of whether they opt out of having their information sold.
CCPA applies to any for-profit entity conducting business in California that collects, shares or sells the personal data of California consumers and meets at least one of the following criteria:
CCPA does not apply only to businesses based in California. Even if a company is based in another U.S. state or another country but serves California residents and meets the criteria above, the company is still subject to compliance.
The penalties for violating CCPA make it imperative to deploy the appropriate privacy controls. California can fine companies up to $750 for each individual violation of a consumer's private information. For any violation deemed intentional, the state has the right to increase fines to as much as $7,500 per violation.
If a database of 10,000 consumers is mishandled, for example, the company is looking at a penalty of at least $7.5 million. But, if the company has already implemented a strong IT risk management program, it is more than likely on the path to complying. If the company already complies with GDPR, there may be just a couple of privacy controls to tweak. The bottom line: If the company leaders take risk management seriously, they will find a way to meet the letter of the law for CCPA.
As a starting point, the key to CCPA compliance is found in these steps:
Hopefully, the company won't have to start from scratch, in which case it would need to allocate a team of internal resources and invest in new processes and technologies to comply with CCPA. A project like this could easily add up to billions for all the companies across the globe that conduct business with California customers.
Assuming the organization already has a strong IT security posture and a solid risk management program, here's a quick rundown of the major privacy controls that might need to be added in order to comply with CCPA:
The controls listed above can serve as a starting point for companies beginning their journey to CCPA compliance. It's important to work with a compliance expert who can delve into the specific CCPA compliance requirements that apply to the company's data environment. An expert can assist with understanding exactly how much is in scope for CCPA, along with how and where to apply the controls in the most effective and efficient manner possible.
Although CCPA is still fairly new, it's best to start assessing where the company stands in relation to these controls. While there is a movement at the federal level to enact nationwide privacy laws in the U.S., it appears to have stalled. Meanwhile, many states are in the process of enacting privacy laws similar to CCPA. It's only a matter of time before these laws impact companies of all sizes conducting business in almost every state across the U.S.
Anne Kimbol serves as assistant general counsel and chief privacy officer for HITRUST. Using her expertise, she provides strategic advice to the C-suite on privacy-related issues, including advising on best practices, compliance with U.S. law, state privacy laws and the European Union's GDPR. In her role as assistant general counsel, Kimbol is responsible for assisting the chief legal officer and contracts manager on contractual issues with clients and vendors. She is also responsible for formulating and implementing HITRUST's privacy policy and strategy, ensuring that internal privacy practices and processes operate in conjunction with the information security and operations personnel. Kimbol leads the organization in monitoring public policy and privacy issues from the state or federal level, as well as internationally. She also identifies key international programs in HITRUST's areas of expertise, including privacy and broader data protection issues. Kimbol is recognized by the International Association of Privacy Professionals as a Fellow of Information Privacy.
27 Feb 2020