CCPA: Understanding Data Privacy’s Pandora’s Box

Mike Ogden

As goes California, so goes the nation. Therefore, it is not surprising that the first state in the union to create a law to protect citizen privacy is California. 

The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020. With the New Year, businesses that meet the threshold for CCPA compliance must take additional steps to protect the privacy of Californians by honoring several rights, including the Right to Access, Right to Know, Right to Opt-Out, and Right to Deletion. 

With the effective date quickly approached, here’s how to prepare for CCPA compliance. 

Does CCPA Apply to Your Company? 

CCPA defines covered entities as those doing business in the state of California and that satisfy one or more of the following thresholds: 

  • Gross revenue in excess of $25 million 
  • Receives personal information on 50,000 or more consumers 
  • Derives 50% or more annual revenue from selling consumers’ personal information 

This begs the question: if your business isn’t located in California, do you have to comply with CCPA requirements? If you do business over the Internet and meet one of the thresholds, the answer is likely yes. Also, as many as 11 states have privacy regulations in the works so, even if CCPA does not immediately impact your business, the extended ripple of data privacy expectations across the nation most likely will. Here, ramping up for CCPA will aid compliance with other state privacy laws and even a federal privacy law.

The particular challenge with CCPA is that it is more expansive than many realize.  

Preview CCPA Compliance Training Course for Managers and Employees

Privacy’s Pandora’s Box 

What makes CCPA challenging is it isn’t just about compliance. It’s a regulation that also opens up organizations to multiple areas of risk due to the reach of the requirements. As a result, CCPA impacts processes for IT, information security, third parties, identity management, vulnerability remediation, and incident response. 

Delivering on consumer rights like opt-out and deletion isn’t just about communicating intent.

In meeting requirements for CCPA, you must per the regulation: “detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. Also, debug to identify and repair errors that impair existing intended functionality.” (1798.100. D2-3) 

Delivering on consumer rights like opt-out and deletion isn’t just about communicating intent. You must as CCPA states: “subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.” (1798.100. S-3) The objective is to bring permanence to the consumer request. 

Datasheet: Data Subject Rights Solution

Bottom line: you’ll need consumer-facing and back-office processes for protecting personally identifiable information and honoring requests from data subjects like issuing disclosures and answering consumer requests. That’s true whether the data resides with the company or with a third party. 

Enlist the Right Technology for CCPA 

Many companies have a multitude of technology tools in use. And most of these technologies excel at their one-off responsibilities. For CCPA requirements that are broad and encompassing, another single-purpose tool is not the answer. A risk management technology platform that manages compliance and performs integrated risk management (IRM) is ideal. Such a platform automatically integrates data from configuration monitoring and vulnerability scanners, streamlines assessments of third parties, simplifies policy management and facilitates incident response, reporting and collaboration with stakeholders. 

The right platform is agile, enabling you to adapt when privacy regulations change or new regulations are enacted...

No regulation is set in stone, and it’s especially true with CCPA, which added six amendments in October. The right platform is agile, enabling you to adapt when privacy regulations change or new regulations are enacted, which is a near certainty with U.S. state or federal privacy laws. The right IRM platform lets you focus on your business, while keeping pace with new privacy regulations. 

January 1, 2020 will be here soon. And with it will come the first in the union privacy regulation, and we can only expert more to follow. Take the best practice route by creating new processes and implementing the right technology that can integrate multiple risk areas and streamline privacy compliance now. 

Preview CCPA Compliance Training Course for Managers and Employees


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


The Missing Link in Future-Casting M&A Due Diligence

As a matter of course, most M&A due diligence processes perform a thorough evaluation of the compliance program, its polices and procedures, its code of conduct, and its ethics and compliance training curriculum. The one gap in the M&A due diligence practices that can be improved is corporate culture – the accurate assessment of the target’s corporate culture today and, more importantly, tomorrow.   

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Don’t Encourage Employees to Speak Up if You’re not Ready to Listen

“Speak-up culture” has been a buzzword in our industry almost as long as ethics and compliance has been a profession. But the phrasing is anemic. It only identifies half the ingredients needed for a successful workplace in which employees feel comfortable and compelled to raise their voices. A speak-up culture only exists when it is paired with a true listen-up culture.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments