California Consumer Privacy Act: The Need for Data-Centric Security

The California Consumer Privacy Act (CCPA) is the latest in a series of global privacy regulations. It comes with new requirements for dealing with personal data and is accompanied by severe penalties. Consequently, businesses must take appropriate action to comply with CCPA. While handling consent and opt-outs are at the forefront, successful mitigation of risks starts with data-centric security – it is about understanding where personal data resides and encrypting or anonymizing that data whenever possible. This is where technology, such as data tokenization becomes an essential element for every business.

 

Introduction

Regulations impact the way businesses operate, but also how technologies evolve. Over the past few years, a series of new data privacy regulations have started impacting businesses around the globe more than ever before, while also leading to technological advancements. One of the latest regulations in that series is the California Consumer Privacy Act (CCPA). Having come into effect on January 1st, 2020, CCPA raised the bar on processing and selling personal data for businesses in California, and is expected to have a broader impact – beyond the state of California. Businesses must take appropriate organizational and technical actions to comply with CCPA and to limit the consequences should data breaches and fraudulent use of data occur.

With potentially very severe fines, it is essential to mitigate these consequences. This will require, beyond an adequate organization with defined accountabilities and responsibilities and good processes, policies, guidelines, and controls in place. Additionally required will be a well-thought-out set of technologies that help in both complying with CCPA and mitigating the scope and consequences of potential incidents.

Such technologies include tools to manage consent and opt-in/opt-out. They include data discovery for both structured and unstructured data. They include IAM (Identity and Access Management) to limit access to systems holding personal data. They also include technologies for the de-identification of personal data. Tokenization, format-preserving encryption, or data masking are examples of such technologies.

These technologies enable adequate data protection and help to anonymize such data. It is important to note that anonymized data is not considered personal data anymore and it has no value to bad actors.

Businesses should take CCPA very seriously. The penalties are severe, including class-action lawsuits for damages. The fewer data can leak, the lower the potential damage. For this reason, partial consent and opt-out handling is woefully inadequate for effective mitigation of CCPA related risks, just as such a strategy would be completely insufficient for GDPR and other global privacy regulations. What is required is a broader perspective, starting with protecting data itself.

Data tokenization is of specific interest here because it helps businesses balance their need for processing personal data against the requirements of adequate data protection. In many use cases, anonymized data is sufficient to fulfill the business demand, including such scenarios as patient data in clinical trials. Tokenization allows the applications to continue working in the same manner as before, without exposing personal data.

It is worth noting that tokenization, data masking, and format-preserving encryption help mitigate the risk of unprotected personal data spreading uncontrollably throughout an organization. Whoever needs access to personal data in the clear must request it first, which extends the need for security controls to these “data in the clear” use cases. This is in contrast to the common scenario of today for many businesses and use cases where personal data is processed and exported to other applications and files and quickly spins out of control. If data is either anonymized or if users must specifically ask for re-identification, it will lead to far greater control of personal data.

We strongly recommend businesses take decisive action for CCPA and related privacy regulations today and plan beyond the obvious solutions such as consent management. Without control and knowledge of where personal data resides and how it flows within and beyond the organization, most of the risks of not complying with CCPA will increase. Data-centric security is essential for a successful CCPA strategy.

 

CCPA & more: What regulations require today  

CCPA is one of the latest in a series of new privacy regulations across the globe that affects businesses and comes with potentially very severe penalties. It is essential to understand the impact and requirements of CCPA. Specifically, with the potential for class-action lawsuits for non-compliance, implementing well-thought-out data-centric security to limit the impact of incidents is crucial.

Regulations have always been influencing businesses and technical evolution. This holds true again these days for the way businesses deal with the privacy of personal data and for the technologies that are and become available in supporting businesses complying with the privacy regulations.

With CCPA having become effective on January 1st, 2020, businesses must act now

Over the past few years, there have been three major regulations in data security and protection, across various global regions. There is the already well-known EU GDPR (General Data Protection Regulation), concerning all business that is done within the EU or affecting EU residents. There is the Singapore PDPA (Personal Data Protection Act), which is relevant to businesses operating in Singapore and appears to be the strictest privacy regulation in APAC. And, finally, there is CCPA (California Consumer Privacy Act), which is part of the California Civil Code and was signed into law in June 2018. As mentioned before, CCPA became effective on January 1st, 2020.

Delay is no longer an option – businesses need to act now, regardless of which of these regulations may apply to them. For global companies, there is a good chance that all three regulations apply. However, even if only one of these applies, the actions to take are fairly similar given that these regulations overlap in major areas. Businesses whould also keep in mind that all three come with significant fines for non-compliance and, at least with GDPR and CCPA, a significant risk of being ordered to pay statutory damages.

Without venturing into the detail of similarities and differences between these regulations, there is significant overlap.  While GDPR is, overall, the strictest of these regulations, CCPA also comes with fundamental changes to the way today many businesses must treat personal data, also sometimes referred to as PII(Personally Identifiable Information). Sanctions and remedies are substantial, so businesses should take action to comply with CCPA, but also to adequately protect personal data and to avoid becoming a victim of a data breach.

CCPA, like GDPR, has an extra-territorial scope and is relevant not only to businesses that are resident in California but also to those doing business within California and with California residents.

Like GDPR, CCPA has some extra-territorial scope. GDPR impacts all organizations doing business within EU member states or – and this is where the extra-territorial aspects come in – with EU residents. In consequence, this also affects businesses outside of the EU. CCPA has, in a similar way, a scope impacting all California businesses and all companies doing business with California residents. As with GDPR, it doesn’t matter where the business resides, but where the individual resides and the business happens. CCPA is more than a local regulation.

CCPA, like GDPR, comes with a list of key principles and intentions:

    • Individuals must be able to gain knowledge about the collection of their personal data.
    • They have the right to know whether their personal data is sold or disclosed and to whom. Specifically, the “to whom” part is a key element in CCPA.
    • They have the right to block sales of their personal data.
    • They have the right to access their personal data.
    • They have the right to “be forgotten”, i.e., requesting the deletion of their personal data if that data is collected directly from the consumer.
    • They must not be discriminated against for exercising their privacy rights.

There are several other relevant requirements, such as:

    • the need for businesses to implement parental or guardian consent for minors (which technically might become quite complex in implementation)
    • provide links to facilitate the exercise of privacy rights such as “Do not sell my personal information” and
    • to have updated privacy policies.

In contrast to GDPR, CCPA works with an opt-out approach for the use of personal data, not an opt-in as GDPR does. However, businesses must avoid requesting opt-in consent for 12 months after an opt-out – which is another requirement that is challenging from a technical implementation perspective.

Different again to GDPR, with CCPA there are some more limitations regarding the businesses considered to be “in scope”. The annual gross revenues either must be above US $25 million, or the business possesses more than 50,000 records of consumers, households, or devices, or the business earns more than half of its annual revenue from selling consumer’s personal data. Factually, the second threshold is the one that will make CCPA applicable to many businesses – for example, 50,000 records of consumer IoT devices is a fairly small number to attain.

CCPA, like GDPR, comes with considerable fines for intentional and unintentional violations, which are up to US $7,500 for intentional and US $2,500 for unintentional. Please note: That is per record. Accordingly, this can add up to some very substantial fines. For GDPR, the maximum fine is up to 20 million € or 4% of the annual gross revenue of the group, whichever is higher. While there is a cap for GDPR, there is no cap for CCPA.

Furthermore, there is the right for victims to file class-action lawsuits, resulting in statutory damages between US $100 and US $750 per individual, or even greater actual damages. Notably, there is a similar clause in GDPR, which allows for civil lawsuits, in addition to the standard penalties.

When taking all these requirements and potential penalties into account, there is no way to ignore the CCPA requirements. Businesses must act now!

Download the white paper by KuppingerCole to gain valuable insights on:

    • The six key actions to achieve compliance with CCPA.
    • The role of data-centric security for CCPA compliance: discovery and anonymization of data are key to success.
    • How tokenization, format-preserving encryption, and data masking help in meeting regulatory requirements of CCPA as well as mitigating risks of data breaches and fraudulent use of personal data.

Some recommendations for businesses on how to prioritize their actions for becoming CCPA ready.

Get the White Paper

Author


  • As Founder and Principal Analyst, Martin Kuppinger oversees all areas of KuppingerCole research and has outstanding expertise in areas such as cybersecurity, blockchain, and AI. Europe’s leading Analysts on the topics of Information Security in the era of Digital Transformation KuppingerCole Analysts, founded in 2004, is an international and independent analyst organization headquartered in Europe. The company specializes in offering neutral advice, expertise, thought leadership and practical relevance in Information Security, Identity & Access Management (IAM), Governance (IAG), Risk Management & Compliance (GRC) as well as all areas concerning the Digital Transformation. KuppingerCole supports companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges. Maintaining a balance between immediate implementation and long-term viability is at the heart of KuppingerCole’s philosophy.