SECURITY & RISK

Get ready for California’s

new data-governance
law
Preparation and compliance tips for CIOs and CISOs

SEPTEMBER 23, 2019

BY GRANT GROSS

› Over 500,000 companies will be impacted by the California Consumer

Privacy Act

› Unlike GDPR, CCPA offers “opt-out” provisions that will require enterprise
support

› Companies will need to improve data infrastructure to better manage and

secure customer data profiles

C
hief security officers already have their hands full with
escalating risks and costs of data breaches, not to mention a
global talent shortage. Now they’re facing more challenges
from regulators, who continue to dole out new requirements for data
security and privacy compliance in many markets.
The first jolt came with Europe’s General Data Protection Regulation
(GDPR), which introduced sweeping new privacy protections in 2018
for consumers and defined some early guardrails around the use of
artificial intelligence. In the UK alone, GDPR’s enforcement arm, the
Independent Commissioner’s Office, has already handed out more
than $440 million in fines for major breaches and violations.

Now comes an even more stringent set of data-governance controls

from the U.S. The California Consumer Privacy Act (CCPA), which
takes effect January 1, 2020, will require companies doing business in
the state to obtain customer consent before collecting, using, or selling
their data.

The rules will force thousands of companies to upgrade their data

infrastructure, adopt new data-management practices, and ensure
that staff is trained in new privacy and cybersecurity protocols.

Because of its broad scope and California’s outsized economy, the

CCPA will likely influence additional state and federal efforts to
regulate data security and consumer privacy. “Regulation like this is
here to stay,” says Barbara Kay, senior director of security and risk
product marketing at ServiceNow.

Smart companies, she adds, should view CCPA as a strategic opening,

not just another compliance headache. “Consider CCPA a ‘1.0 Project’ to
adapt your foundation for data usage, access, hygiene, and compliance
reporting.”

How CCPA compares with GDPR

California is the world’s fifth-largest economy, with a $2.9 trillion GDP.
The CCPA applies to all companies that meet at least one of these
three requirements:

› Annual revenue of at least $25 million;

› Handle the personal information of at least 50,000 California consumers,
devices, or households;

› At least half of its revenue comes from selling California consumers’

personal information. More than 500,000 U.S. companies meet the
threshold, according to the International Association of Privacy
Professionals.
 over
The California law has several
similarities with GDPR, but
there are some important

5,000
differences. (See box.) Just as
GDPR requires companies to
obtain consent to collect and use
consumer data, CCPA also
includes an “opt out” provision companies will be impacted
by CCPA
for customers to block the sale
of their data to third parties.
Companies must also add a “Do Not Sell My Personal Information” link
on websites and mobile apps.

Under CCPA, covered businesses must also disclose the personal

information they collect, sell, and share, and they must delete personal
information if consumers request it. In addition, CCPA uses a slightly
broader definition of “personal data” than GDPR does, considering a
user’s browser and search histories as protected information.
In other ways, the CCPA is less restrictive than the GDPR. For instance,
the California law doesn’t require companies to show a “legal basis” for
collecting consumer data, such as a contract that requires data
collection.

Bottom line: Companies need to understand the differences between

CCPA and GDPR. “CIOs who believe they’re automatically compliant
with CCPA because they have already ensured GDPR compliance are
in for a shock,” says Ray Walsh, a UK-based digital privacy expert.

Get Workflow in your inbox

CLICK HERE TO SUBSCRIBE

Even if your company doesn’t come under CCPA jurisdiction, you

should pay attention to the new privacy requirements, as more are
sure to follow. While the current U.S. Congress has passed several
piecemeal bills on data privacy, a comprehensive federal law remains
on the drawing board. That’s one reason why more states are expected
to follow California’s lead with their own regulations.

Key challenges
The CCPA presents significant challenges. Companies will need to
maintain up-to-date data profiles about the information they hold on
all customers. They also need to preserve inventories of all customer
data on hand, including metadata and licensing information.

That’s more difficult than it sounds, given the rapid growth of

enterprise data. (The “Global Datasphere,” a measure of how much
data companies generate annually, will expand five-fold by 2025,
according to IDC.)

“Data collection has become so routine in many industries that many

businesses don’t have complete awareness of what they have,” says
Stephen Newman, a partner at law firm Stroock & Stroock & Lavan in
Los Angeles.

A bigger challenge is compliance with CCPA’s opt-out provisions.

While it’s not clear how many consumers will pursue opt-outs, the
numbers could be significant. In a recent trial conducted by privacy-
rights vendor Truyo, one major retailer placed a “do-not-sell” link on
the home screen of its mobile app. The link took them to a page with
more information. Of the 30 million users who saw the link, 4%—or 1.2
million people—clicked through. In 2020, they will have the additional
choice of completing the opt-out.

Companies also face new litigation risks under CCPA. Consumers will
be able to file class-action lawsuits after a data breach, with damages
of up to $750 for each California resident affected. That’s a bigger
number than it seems: The $700 million settlement reached after the
massive 2017 Equifax data breach pays out just $125 to each claimant,
and only if they meet specific requirements.

It will be neither easy nor cheap for companies to deal with these new
risk and compliance challenges. The silver lining is that building
stronger risk management muscles can have longer-term payoffs.
“They can be a good driver of integrating risk management into day-
to-day experiences,” says ServiceNow’s Kay. “That’s the reality of the
digital world we navigate today.”

Key differences between CCPA and GDPR

General Data California

Protection Consumer Privacy
Issue Regulation (GDPR) Act (CCPA)
 General Data California
Protection Consumer Privacy
Issue Regulation (GDPR) Act (CCPA)

Covered businesses Established in EU or Companies with

offersing goods and revenues of $25M; or
services to EU with data on 50K CA
residents residents/households/devices;
or with 50% revenues
derived from selling
personal information

Enforcement arm Authority of EU California attorney

member state general

Allowance for civil Determined as % of Up to $2,500 for each

penalties gross revenues violation or $7,500 for
each intentional
violation

'Cure' period for None provided Required within 30

breaches days of notification

Breach reporting 72 hours after "In the most expedient

timeline awareness of breach time possible"

Private right of action Individuals can pursue Individuals can bring

claims for damages
actions to recover
damages up to $750
per incident or actual
damages, whichever is
greater

Consumer access Companies must Companies must

requests provide at least one provide two methods
method for service (website and
requests telephone)

'Do Not Sell My Not required Required

Personal Information'
webpage

Grant Gross is a long‑time tech policy reporter and former senior

editor at IDG News Service. He writes about topics such as net
neutrality, electronic surveillance, cybersecurity, and digital copyright
legislation.

Articles by Grant Gross ›

RELATED ARTICLES:
 Legal COLUMN
Rise of the chief
guardrails for Every data officer
AI corporate Why data strategy is
becoming business
A new European Union
rule could make it harder
leader is a strategy
for business leaders to digital risk
rely on algorithms manager
New ways of working
create new forms of risk

Customer Experience ABOUT

Employee Engagement LEARN

IT Transformation QUARTERLY

Security & Risk SUBSCRIBE

25