The California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, gives Californians more control over the information businesses collect on them and imposes new penalties on businesses that don’t comply. Similar in many respects to the General Data Protection Regulation (GDPR) that was implemented in the European Union in 2018, the CCPA grants California residents the right to know what personal data businesses collect on them and to access that data, request that their data be deleted, know whether their data has been sold or disclosed, and prohibit the sale of that information to third parties.
CCPA’s Impact Goes Far Beyond California
The CCPA applies to consumers (aka “data subjects”) who legally reside in California, but it will have major implications for enterprises as well. On the processing side, the CCPA applies to for-profit entities that collect consumers’ personal data, do business in California, and satisfy at least one of the following thresholds:
- Have annual gross revenues in excess of $25 million
- Possess the personal information of 50,000 or more consumers, households, or devices
- Earn more than half of its annual revenue from selling consumers’ personal information
While the CCPA’s scope is more limited than that of the GDPR, its relevance to U.S. businesses is enormous. One in eight U.S. residents lives in California, and the state has the world’s fifth largest economy – ahead of the UK. Moreover, in the absence of a federal regulation, California’s privacy law may well become the de facto standard that other states will follow in framing their own regulations.
Another consideration for businesses pondering their CCPA strategy is the increasing awareness and sensitivity of consumers to privacy issues, particularly following the Facebook/Cambridge Analytica scandal. In addition to potential fines, failing to comply with the CCPA could cause serious brand damage.
The Problem: Lack of Visibility and Control over Unstructured Data
What we learned from our customers’ GDPR compliance efforts is that the main challenge is knowing what personally identifiable information (PII) an enterprise has and being able to locate it on demand. This is especially difficult with respect to unstructured data (e.g., documents, spreadsheets, videos and other files not residing in a structured database), which in distributed enterprises can be strewn across thousands of remote office servers, employee workstations, laptops and mobile devices. These types of files are also subject to CCPA guidelines.
To ensure the privacy of customers’ personal data and to comply with existing and future regulations, IT managers need to focus their efforts on identifying and securing their key data assets. The success of this data strategy depends on being able to discover those assets, classify them and apply the appropriate security measures in an effective and transparent manner.
What You Need to Achieve CCPA Compliance
The first step towards tackling this problem is to consolidate your unstructured data (regardless of where it is created) in a single global namespace. Once your data is managed and stored in a centralized and sharable repository, you can then implement data classification tools that allow you to categorize data and search for PII.
CCPA compliance (like GDPR) also means being able to comply with consumer requests related to their personal data. With a global file system in place, it’s easy for an IT admin to comply with a delete request and remove the specific file(s) from the repository and all global devices in an automated and synchronized manner. Such a solution also facilitates efficient and secure transfer of personal information requested by a consumer.
In the context of file services, enterprises require tools that allow them to define, implement and enforce privacy and security policies that govern the access and usage of files, including those that contain ‘personal data.’ For example, enforcing a security policy that requires certain types of data to be encrypted both at rest and in transit.
Closing the Security Gap
Unlike GDPR, CCPA doesn’t stipulate specific security measures companies need to take. Nor does not dictate technical requirements for how or where to store customer data. However, in the event of a data breach, companies will be held accountable for lax security.
The CCPA stipulates that companies that have failed to adopt reasonable measures to protect private information will be subject to enormous fines for all pre-existing violations. For example, if your company accidentally leaks the PII of 10,000 consumers due to negligence, you’d be subject to a $25 million fine (triple that amount in the case of an intentional violation). If that’s not enough, you’d also be liable for actual damages related to the data breach. In other words, be ready to show you took “reasonable” measures.
It’s also worth remembering that these are still early days. The fact that the CCPA has no specific security requirements now does not mean this will be the case in five years’ time. In fact, the opposite is probably true. Accordingly, businesses operating in California would be well-advised to revisit and augment their data management procedures and security practices going forward.
If your enterprise does any form of business in California, it’s almost certain that your data privacy practices need to comply with the CCPA. If your business is already aligned with the GDPR, you’ve got a major head start on achieving CCPA compliance.
If your company is new to the game, focus your CCPA compliance strategy on improving data management and governance capabilities. Deploying a global file system with strong security enforcement can help you gain visibility into distributed and unstructured data, which is a critical first step towards CCPA compliance. By adopting such an approach, you’ll be able to strengthen your data privacy practices, protect against data breaches and prepare your organization for new regulations in the future.