This Wednesday, September 25, marks 100 days from the mandatory compliance date of January 1, 2019 for the new California Consumer Privacy Act (CCPA.)
The CCPA mandates a stringent new degree of consumer privacy and protection. It defines and protects personally identifiable information (PII) on a much broader scale, including biometrics, internet search and browse data, and employment information. Ultimately, compliance with the CCPA will help businesses build better consumer trust, enhance their reputation, and strengthen their brands.
To all intents and purposes this law is already in effect – it covers data held since January 1st 2019. So no one should wait until New Years Day 2020.
Third Party Risk continues to be a major issue, and CCPA opens up a new avenue for 3rd parties to cause serious damage to “the party of the first part”. Businesses need to seriously consider how they share access to their data with third parties such as resellers and marketing agencies – data sharing is a risk multiplier, and even the best security policy with impeccable defenses cannot protect against the failures of third parties.
97% of all losses from data breaches are caused by socially engineered attacks on employees and associates. CCPA does not even require financial loss for the custodian of the consumers’s data to rack up liabilities, so all online organizations with a covered database need to learn about CCPA and defend themselves by training their staff, understanding the risks and being 110% compliant.
The California Consumer Privacy Act marks a significant shift in the way the American government views the technology sector and the way constituents interact with it. The considerable change that data-driven companies have catalyzed is remarkable in many ways. However, regulation like this is becoming increasingly necessary as a result of the businesses built on the attention economy. As these organizations pursue ever-increasing magnitudes of growth, regulations like the CCPA are becoming more necessary to foster trust between consumers and these communication tools. California has a history of leading the country in developing boundaries around the technology sector and I anticipate that the rest of the country will follow.
In the past, we\’ve seen privacy and security teams operating relatively autonomously but now we\’re starting to see an integration of security and privacy teams driven by these new regulations such as CCPA and GDPR. The alignment with security controls and similarities to security compliance standards is leading many businesses to adopt an integrated approach to security, risk, and privacy to help them more effectively report to the CEO and Board.