Friday, February 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Navigating the California Consumer Privacy Act

What Organizations Need to Know and Do to Stay on Top

by Mark Sangster
November 12, 2019
in Data Privacy, Featured
compass on map

With the California Consumer Privacy Act (CCPA) going into effect shortly, eSentire’s Mark Sangster deliberates on evolving data privacy laws and how companies can ensure stronger data privacy for customers.

The 2018 Cambridge Analytica scandal was a watershed moment for citizen privacy and the protection of our information rights. Consumers gained a greater understanding of the fact that when a product or service is “free,” it means their own information is the actual product. This is perhaps the greatest industrial revolution: the consumer is the product. Not only did it create an uproar, but it also resulted in significant financial penalties. The Federal Trade Commission (FTC) fined Facebook a record $5 billion for giving Cambridge Analytica improper access to its users.

The settlement is important, because it demonstrates that the FTC is taking consumers’ data privacy seriously. The scandal has also caused many consumers to reconsider what information they post – and whether they post at all – on social media and how many companies hold their personal information. In the case of Facebook – and, by extension, all other organizations with an online presence –  when no privacy guarantees were ever proffered fully by the company, it represented a violation of implied trust.

In the European Union, the General Data Protection Regulation (GDPR) was established before the Facebook scandal became known. It was implemented in response to many other violations of trust and data collection – both intentional and accidental – as more and more companies collect citizens’ digitized personal information. The GDPR lays out stringent guidelines for what types of data organizations can collect and what they are allowed to do with it, complete with hefty fines for noncompliance. U.S. companies conducting business in the EU or holding data on EU citizens are subject to GDPR, but attempts to pass anything like GDPR in the U.S. have so far failed to gain significant traction.

The Origins of the California Consumer Privacy Act

The California Consumer Protection Act (CCPA) is perhaps the “Plymouth Rock” of privacy. The U.S. constitution contains no express right to privacy. It’s typically left up to the civil court system to decide on such matters as governed by state law or precedent. There’s no explicit equivalent of, say, Canada’s PIPEDA or Japan’s AAPI online privacy legislation. However, when data privacy legislation called the California Consumer Protection Act (CCPA) was introduced last year, it was passed within weeks of its introduction.

Clearly, there was an appetite, at least in tech-heavy California, for GDPR-style protections. The CCPA’s quick passage was also widely seen as a compromise with online companies that were eager to prevent a tougher citizen proposal from going onto the ballot. The legislation grants consumers new rights with respect to the collection of their personal information and goes into effect on January 1, 2020.

How Will the CCPA Affect Companies?

First and foremost, the CCPA is about privacy. It requires full disclosure from companies regarding the collection of personal information – everything from what details they are keeping to what sources that information is coming from and why they are collecting it.

It also includes the right for citizens to opt-out of having their information/data sold. Users and customers will have to be notified from the get-go about their information; they will have to acknowledge that their information is being collected, but they can choose not to allow those companies to sell their information to other companies. CCPA goes one step beyond GDPR to not only define privacy rights, but also expose the economic value of consumer data.

Similarly to GDPR’s right to be forgotten, CCPA includes the “right to be deleted.”

Companies won’t be allowed to retaliate against those customers who opt out of allowing their information to be sold by charging them higher fees or rates. A company like Google, for instance, wouldn’t be able to respond to a user opting out of having their information sold by then charging them (more) or restricting access to certain services.

How Companies Can Understand the Risks and Prepare

One of the major aspects of CCPA is that companies will have to declare the value of the data they are collecting – so if a company planned to sell that data, they would need to declare its resale value.

Organizations will need to find a way to ensure that every department understands what the requirements are under CCPA. Companies that fall within CCPA’s jurisdiction will need to map all of the information they collect. For many, they’ll find that certain departments have no understanding of the implications that arise from the information they regularly gather.

For instance, the marketing department may store sales information about customers and prospects in a customer relationship management (CRM) tool to create stronger buying personas. However, marketers are likely unaware that CCPA will require documentation of where that data came from and why it is being used. And in a situation like this, pleading ignorance is no longer a viable defense.

Companies will need to be able to fully map where the information goes, including across their supply chain, with a justified purpose. They will have to work to ensure they’re conducting due diligence and analyzing the benefits versus the risks to justify their actions to regulators if they come calling. This will help prevent “shiny object syndrome,” or a hoarder’s mentality in which companies collect all the data they can in the hopes that it will someday be useful.

In addition, companies must be able to secure this data. This will change how vendors are chosen. Organizations will need to analyze the risks associated with that vendor by conducting due diligence, then establish controls. They will have to put monitoring in place to ensure their vendors are in compliance with those data controls.

Stronger Security Ahead

The CCPA represents the first legislation of its kind to pass in the U.S., but it’s certainly not the last. This year, more than 20 states have considered data privacy legislation, though only Maine, Illinois and Nevada actually passed laws. California will be an acid test to watch as of January 1 of next year, when the legislation takes effect. It’s particularly interesting to watch, given how many of the biggest names in tech are also based in the Golden State.

But privacy legislation of this kind shouldn’t and doesn’t need to be seen as crippling to business. It can actually be a business advantage by forcing companies to really evaluate their supply chain and partners to understand how and why data is being stored and collected. This can ultimately protect not just consumers’ privacy, but companies from damaging breaches or other security incidents in the long term as they get a better handle on their data.


Tags: CCPA/California Consumer Privacy Act
Previous Post

The Unaoil Exec’s Guilty Pleas: The Ahsanis’ Criminal Information

Next Post

Anticipating the Next New Variety of Cybersecurity Litigation

Mark Sangster

Mark Sangster is the Vice President and industry security strategist at eSentire. He is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that organizations integrate cybersecurity into their day-to-day operations. In addition to his passion for cybersecurity, Mark’s 20-year sales and marketing career was established with industry giants like Intel Corporation, BlackBerry and Cisco Systems. Mark’s experience unites a strong technical aptitude and an intuitive understanding of regulatory agencies. Mark holds a bachelor’s degree in psychology from the University of Western Ontario and a business diploma from Humber College.

Related Posts

woman looking at horizon from mountain top

What’s on the Horizon for Anti-Corruption Enforcement?

February 25, 2021
cannabis leaf on $100 bill

The Intersection of EDD and Banking Cannabis

February 24, 2021
gold cup award on red background with stars

Ethisphere Announces the 2021 World’s Most Ethical Companies

February 23, 2021
illustration of hand holding flashlight illuminating hidden stairs

The Corporate Transparency Act: Pulling Back the Veil

February 23, 2021
Next Post
blue polygonal whistle on dark background

Anticipating the Next New Variety of Cybersecurity Litigation

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights