More companies are doing more business online to survive the pandemic, and that’ll create even more data privacy concerns going forward. At the same time, new privacy regulations have taken hold, most notably the California Consumer Privacy Act, effective in January with enforcement starting in July. It will impact hundreds of thousands of companies.
The CCPA grants a lot of new rights to California consumers, including the right to know what personal information is collected, used, shared or sold, the right to have personal information deleted, and the right to opt-out of the sale of personal information. Companies that collect the personal information of 50,000 people or more every year, as well as businesses with annual revenues above $25 million, are among those subject to the act.
How rigorous California will be with enforcement amid the current situation is unclear. But the regulation is clearly here to stay and many companies are probably not prepared, including those doing more online sales and remote work as a result of the pandemic. Online retail and e-commerce activity, for instance, is soaring in the U.S. given stay-at-home orders. In a pre-pandemic poll last year, only 34 percent of companies said they expected to be compliant with CCPA as of January, with 45 percent taking a wait-and-see approach as to whether they’d be fined for noncompliance. In addition, work from home brings new challenges and security risks to businesses who were used to strictly controlled corporate environments. Recently, California’s attorney general denied an industry request to delay enforcement to give pandemic-impacted companies more time to prepare.
The failure of companies to get ready for the European Union’s General Data Protection Regulation, which was effective in May 2018, may be indicative of what’s to come for CCPA. Despite having years to prepare for GDPR, breach notifications have exceeded 160,000 in Europe, with imposed and threatened fines in the millions of dollars. The CCPA came up much more quickly, and regulatory guidance was still being refined as of March.
Moving Toward Compliance
The big lesson from the GDPR failures is that getting privacy and data protection right requires companies to have a data-centric approach to what they do. In addition to perhaps collecting more data than ever given our increased online existence, many companies also have tons of data in silos, data lakes and other places.
Here are five steps to help companies move toward regulatory compliance, and to be more skilled in safely sharing data across ecosystems of customers and suppliers. By being able to safely share analytics, companies will achieve a competitive advantage.
- Understand what data you have, especially data gathered about consumers. How do you collect it? Where is it stored? Who has access to it? Is it shared? By inventorying data, you more readily identify exposures in terms of privacy regulations.
- Identify business processes powered by data. A big risk with CCPA is data held by third parties -- data brokers, marketing agencies and partners, and web application providers. In some cases, data sharing may occur—putting companies at risk of violating regulations—even if sharing isn’t needed simply because it occurs because of old business processes. By knowing how data is used, and by whom, you see whether data is being used correctly.
- Fix exposures. Stop unnecessary data flows. Update business processes or add tools to fix problems. Many businesses are still working through their ecosystems to identify the most risky marketing systems, including where it is easy to sell data.
- Update data disclosures. The CCPA requires businesses to provide notice to consumers at or before data collection. This is an easy fix to make — assuming you know what data you’re collecting and what it’ll be used for.
- Segment data analytics. Limit exposure by segmenting data analytics from raw data. By sharing just the insights, there’s less risk that underlying data will be unduly shared.
While coming into regulatory compliance is a must-do, as evidenced by GDPR breaches and fines, the big pay off for companies will be to use data and data analytics as a competitive advantage. By efficiently and safely sharing data and data analytics, companies will be better positioned to serve consumers with more personalized services and products.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.