This blog is part of a limited series on California’s Consumer Privacy Act (CCPA) from CompTIA’s IT Security Community. Check out the previous articles: How MSPs Can Cash In on the California Consumer Privacy Act; 4 Steps to Prepare Your Clients for the California Consumer Privacy Act; and Company-Wide Security Compliance: 4 Things to Do and 1 Thing to Avoid.
Managed services providers—and any tech business with personal information in the U.S.—should be preparing for the California Consumer Privacy Act (CCPA). There's not much time left to map out a slew of client data, draw up a gap analysis, build out a compliance roadmap and implement privacy protection plans.
CCPA applies to anyone who annually buys, receives, sells or shares personal information of 50,000+ consumers, households or devices. It doesn’t take long to get to that number, said global security evangelist Tony Anscombe in a special presentation by CompTIA’s IT Security Community at ChannelCon 2019, and there are some serious consequences if you don’t play by the rules.
Whether you work in targeted advertising, engage in personally identifiable information (PII) first or even secondhand, California is setting the tone for data protection and you need to be paying attention. But it’s not a cut-and-dry implementation. Here are three reasons CCPA is raising blood pressure across the IT community.
A Moving Target
Even though the CCPA bill was passed by the California State Legislature and signed into law by Gov. Jerry Brown in 2018, the law is still being written. “There’s lots of amendments,” Anscombe said. “This is not set in stone.”
CCPA began as a ballot initiative created by three private individuals who felt there should be more privacy controls available to consumers. Six days before the ballot initiative could be voted on, lawmakers decided it would be better if CCPA was introduced as state legislation—because a ballot initiative can’t be amended.
“There was this humungous rush,” Anscombe said, as lawmakers hammered out definitions of personal information and what “sale” means under CCPA. Gov. Brown (D-California) signed CCPA into law Oct. 11, and then the state’s attorney general released official CCPA regulations later in October.
Late in the game, California lawmakers were still hammering out details like whether or not to require a data protection officer (DPO), an enterprise security leadership role required by Europe’s General Data Protection Regulation (GDPR). “It’s a go-to person for the business, and I believe CCPA should have this and this person should have a mandate from the CEO,” said Anscombe.
Within CCPA, consumers have rights related to their personal information. People have the right to know where their personal information lives, who it’s being traded to and how to opt out of programs they don’t like, with a provision that they not be discriminated against for opting out. CCPA also includes a consumer’s right to sue, said Anscombe, and data breach victims can sue for damages from $100 to $750 per incident.
“If you’ve got a class action suit and you’ve got data of 400,000 Californians—and it’s not impossible to think of business that has that much data sitting there—at $100 each, that’s $40 million dollars. It’s potentially a very big fine,” he said.
Under the new law, which goes into effect January 1, 2020, all businesses that deal in data will be culpable for mistakes.
CCPA also includes a provision for tiered fines, and having security compliance in place can cut the risk for companies in the business of technology. Flagrant violators fall in a higher tier, and having documented training could potentially drop tech companies further down on the tiers. Documentation of security training could potentially drop organizations into a lower-fined tier.
A Close Deadline
MSPs will be expected to be in compliance by January 1, 2020 or face the possibility of individual and class action lawsuits. AG enforcement will start July 2020 or six months after the final amendments to CCPA are made.
For those that think GDRP compliance is going to cover CCPA, think again. They have multiple differences, first being citizen versus resident definitions. “CCPA is about California residence. If you don’t live in California it doesn’t protect you,” Anscombe said. “With GDPR, if you travel to Europe you’re covered by GDRP regardless of the fact you’re a U.S. citizen. It’s about the place of where you are at the time you do something.”
To get started on your CCPA compliance plans, Anscombe recommended these next steps: Get your head around the timeline and nail down your definition of reasonable security. One of the easiest ways to start is get rid of any old data that’s cluttering up your servers. “Every now and then you go into the garage and throw the junk out,” he said. “If you’ve got no business holding it, get rid of it.”
For more on CCPA and how it can work for your business, join CompTIA’s IT Security Community.