This post first appeared on Risk Management Magazine. Read the original article.
Although it has been less than a year since the
implementation of the California Consumer Privacy Act (CCPA), Californians will
once again vote on consumer privacy laws in the November election. Also known
as Proposition 24, the new California Privacy Rights Act (CPRA) aims to enhance
consumer privacy protections by clarifying and building on the expectations and
obligations of the CCPA.
One of the key provisions of the proposed law is the
creation of the California Privacy Protection Agency, a new agency tasked with
protecting data privacy by implementing and enforcing the CCPA and CPRA. This
agency would be able to levy fines of up to $2,500 per violation of the act or
up to $7,500 per intentional violation or any violation involving the personal
information of minors.
The law also establishes a new personal information category
called “sensitive personal information” and gives consumers the power to limit
how organizations use and share it. This category includes Social Security,
driver’s license, passport and financial account information, as well as
precise geolocation, race, ethnicity, religion, union membership, personal
communications, genetic data, biometric or health information, and information
about a consumer’s sex life or sexual orientation. If passed, the law would
take effect on January 1, 2023, and would apply to all information collected on
or after January 1, 2022.
The potential amendment to the CCPA just two years after it
was voted into law demonstrates just how quickly the compliance landscape is
shifting as organizations collect and share ever more consumer data. In fact,
the International Data Corporation currently projects that the amount of data
created over the next three years will be more than was created over the past
30. With more regulations anticipated in 2021, compliance is also more complex
and critical than ever. So how can organizations proactively prepare for the
CPRA and other future compliance regulations?
The Tip of the Data Compliance Iceberg
According to an August 2020 poll conducted by Californians
for Consumer Privacy, 81% of voters support passing the CPRA. With the
potential to have a lasting impact on the compliance landscape, California has
become a testing ground for comprehensive privacy laws. And as the world’s
fifth-largest economy, California has set an example for other states and
countries to follow. In fact, following the CCPA’s passage, the International
Association of Privacy Professionals (IAPP) Westin Research Center compiled a
list of proposed privacy bills from across the United States and found 17
common provisions. Among these provisions were the right to access collected or
shared data, the right for consumers to opt-out, and the right to be notified
of a breach.
The CCPA has become a benchmark for organizations looking to
achieve compliance, regardless of their location. So far, Maine and Nevada are
the only other states that have enacted privacy laws similar to the CCPA, but
several states are working through legislation, including New York, New Jersey
and Massachusetts. As more states look to pass comprehensive data privacy laws,
the challenge for organizations will be understanding the nuances of each law
and how they differ from state to state. Organizations that do business
internationally must also consider laws like the European Union’s General Data
Protection Regulation (GDPR). The compliance landscape is constantly evolving
and the penalties for noncompliance are growing increasingly severe.
Organizations that have put off larger compliance efforts can no longer afford
to take a wait-and-see approach.
In a June 2020 TrustArc survey of 1,500 global
organizations, just 14% had completed their CCPA compliance initiatives, 15%
had a plan but had not started implementation, and 9% had not started at all.
These organizations do not seem to be viewing compliance as an overall business
problem—and that is a real danger. The CPRA makes organizations subject to the
regulation if they have an annual gross revenue of $25 million or share the
personal information of 100,000 or more consumers, households or devices for
commercial purposes. This narrows the parameters and makes some companies
liable that were not before.
While some of the fines may be considered a drop in the bucket
for larger organizations, they could decimate smaller businesses. Especially as
organizations look to rebound from the effects of the COVID-19 pandemic, many
cannot afford a costly compliance lapse or data breach. As data’s value
continues to increase, these organizations need to think of security as an
all-encompassing matter that impacts decision-makers, employees, customers and
third-party vendors. All of these people and organizations depend on data
security, and a data breach or compliance lapse can undo years of trust from
consumers and from their own employees.
Prioritizing Data Privacy and Security
As capturing and storing information has become so
inexpensive, and today’s economy has become increasingly data-driven, many
organizations are willing to hold onto user data without knowing exactly what
they will use it for. But now, as consumers and third-party groups force
organizations to place a larger emphasis on data privacy, data use and its
overall security are becoming ever more critical to business success.
Most businesses with resource constraints find themselves prioritizing revenue-generating activities over security- and compliance-driven initiatives, but due to privacy regulation penalties and compliance maturation, organizations are seeing security’s impact on revenue. Of the 3,950 breaches investigated in Verizon’s 2020 Data Breach Investigations Report, 86% were financially motivated. In addition, personal data was involved in 58% of those breaches, underscoring the true human impact of these incidents. Improving security and compliance is not as simple as hiring a CISO or compliance officer. Gone are the days where sensitive data was limited to Social Security numbers, birthdates and email addresses. It is now about focusing on a broader set of data, understanding how it is collected, and where it is stored, processed and shared across the organization.
Moving forward, it is fair to assume that all new and
existing forms of personal information will eventually be regulated in some way.
Any organization that collects data will need to be cognizant of what data is
collected, from whom, and for what purposes, then make sure there are processes
in place to ensure all customer and employee information is stored, secured and
managed correctly. While the CPRA only applies to Californian customers,
organizations should begin treating every piece of personal data they collect
as if it belongs to a California resident. By treating all personal data with
the highest level of security, organizations will put themselves in a better
position to approach data privacy and security as a business problem, prepare
for future regulations and provide them with an overall stronger security
posture.
The CPRA offers a unique look at how consumer privacy advocacy
groups and governments are working together to bring data security to the
forefront of enterprise risks and considerations. Unless forced by regulations,
businesses often avoid investing in parts of the business that do not drive
revenue, and that is the case with the CCPA and CPRA. Instead, organizations
should take the CPRA announcement as an opportunity to develop a strong data
management strategy that includes full data discovery across their organization
and treats all personal information with the highest degree of security.