Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Enterprise ServicesSecurity Leadership and ManagementCybersecurity News

State Privacy Regulations Are Long Overdue: How Can Companies Prepare?

By Dominic Sartorio
CCPA
October 3, 2019

Cyberattacks and data breaches are in the news almost every day, frequently targeting government agencies, businesses and consumers. According to a national survey from the Pew Research Center, a majority of Americans (64 percent) have personally experienced a major data breach, and large shares of the public lack trust in key institutions – especially the federal government and social media sites – to protect their personal information.

In an effort to put some element of control back into consumers’ hands, in May 2018, the European Union introduced the GDPR regulation – the General Data Protection Regulation – a comprehensive set of rules designed to give EU citizens more control over their personal data, and simplifying the regulatory environment for businesses. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. The move was a major pivot towards protecting individuals, and a legislative stake in the ground by the EU to protect personal privacy.

The United States, on the other hand, though fully capable of driving a nationwide privacy standard, lacks a single, comprehensive federal law that regulates the collection and use of personal information. It has not been a legislative priority at the Federal level. Instead, in lieu of federal privacy regulations, many states are making their own – and each state will have slightly different requirements.

Clearing the Confusion: GDPR vs. CCPA

In January 2020, the California Consumer Privacy Act (CCPA), the closest thing to its European counterpart and the most comprehensive data privacy law in the country so far, will go into effect. All for-profit companies that do business in California and who meet certain thresholds will be required to be compliant by January 1st.

There is an understandable amount of confusion around CCPA and GDPR. With CCPA, there is a greater focus on the commercial uses of data, as opposed to all forms of data processing; in addition, CCPA functions on an “opt-out” basis, whereas GDPR consent requires an “opt-in” from the individual. Also, the State Attorney General has the sole power to enforce the law and to impose civil fines of $2,500 per violation (or $7,500 for each intentional violation). With every person whose data is breached counting as a violation, the stakes are high for large organizations serving millions of California residents, and, unlike the GDPR, CCPA provides no caps on civil penalties. 

While Californians will have greater privacy rights come January, the CCPA at present lacks clarity around methods of protection and the concept of deidentification (making information no longer pertain to an individual consumer or household). Unlike GDPR, which lists the specific personally-identifying data elements requiring protection, CCPA broadbrushes this by requiring that any data that can directly or indirectly identify its subject must be protected. Further, the law states that “personal information” excludes “publicly available” information which is lawfully made available by federal, state or local government records; but how the courts interpret “personal” vs. “public” information remains to be seen.

Ever since the Cambridge Data Analytica scandal in 2018, other states in the U.S. have jumped on the CCPA bandwagon with their own attempt at nuanced legislation, such as Maryland’s Online Consumer Protection Act or New York’s Right to Know Act, but California’s is the most comprehensive data privacy law that has been passed so far. Each state has a different mix of industries and corresponding priorities. California is the tech capital of the world, and its companies have created many of the technologies that have caused so many of the privacy issues today. California’s state legislature realized this and decided to take a leadership position in protecting citizen’s privacy.

The CCPA is quite complex in terms of the various data policies that can be set. GDPR uses what’s called “codes of conduct” to provide businesses with guidance on the GDPR’s requirements, and to offer third-party oversight as a check on data handling practices.

Next Steps for Businesses Seeking Compliance

The patchwork of regulations makes it a challenging process for large, global or even national institutions to comply without complexity or without inhibiting growth and innovation.

My advice to businesses that want to stay on the right side of the law would be:

  1. Recognize it’s about protecting the data itself. The data is always flowing, whether at rest (at the company collecting), in use or in motion (moving to a third-party data warehouse). Organizations need to have a security posture that protects the data itself so that even if a breach occurs, the data is rendered useless by bad actors.
  2. Identify and select an executive in the C-suite to drive data protection strategies throughout the organization. It must be a company-wide mandate across all silos to be effective.
  3. Empower that executive to set up policies and controls that are enforceable throughout the organization.

GDPR requires every organization that processes or stores personal data for EU citizens hire a DPO – Data Protection Officer – responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. This may not be a federal or state requirement in the U.S. just yet, but I believe it’s coming, and would be a smart practice for organizations to get ahead of the game and appoint someone in their organization to fill that role.

For a long time, it may have seemed like consumers virtually had no power, and that businesses could do anything they want with individuals’ private information with nearly no repercussions – but that time is rapidly expiring. With increased state regulations, it is clear that businesses must step up their security game by pseudonymizing their data, rendering the data unidentifiable, so when that data travels across state lines and organizational boundaries, the data is still protected, as well as the business and its reputation. Every business needs to adopt a data-first security posture by protecting the data down to every letter and number or soon risk major penalties for harms caused by privacy or security failures.

KEYWORDS: CCPA cybersecurity data breaches GDPR

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Dominic sartorio headshot
Dominic Sartorio is SVP Products and Development of Protegrity.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber laptop2

    5 Tips on How Companies Can Prepare for Cyberattacks and Data Breaches

    See More
  • Closed Sign on Business Door

    How companies can prepare for holiday weekend cyber threats

    See More
  • laptop.jpg

    Cybercriminals are winning: How companies can turn the tide

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing