Privacy Matters: A Look at the California Consumer Privacy Act
By Rob Wayt, CISSP-ISSEP, HCISPP, CISA, CISM, CRISC, CEH, QSA
Sometimes we could all use a little privacy. Some downtime to unwind without being bothered by phone calls, emails and social media updates. Our world is moving faster and faster in the digital age, with no signs of slowing down. In a related way, this is exactly what privacy legislation and regulation is aimed at relieving.
What is privacy with regard to electronic information? How is it different from security?
In simple terms, security is the effort made to keep sensitive information safe. Think policies, firewalls, antivirus, encryption, MFA, and numerous other technologies. Privacy, meanwhile, utilizes aspects of information security but is actually more focused on the rights of the subject — including capabilities to control who has their identifying information and what can be done with it.
Privacy of electronic information has been an area of growing concern for more than 20 years. The first major legislation to address personal information privacy was the Health Insurance Portability and Accountability Act (HIPAA), which became effective in 1996. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) went into effect to promote the adoption and use of electronic health records and information technology. In May of 2018, the General Data Protection Regulation (GDPR) became enforceable. This regulation provides privacy protections for subjects of the European Union and affects businesses all over the world – including those in the United States.
Enter the California Consumer Privacy Act
Now, the California Consumer Privacy Act (CCPA), which is potentially the most restrictive privacy legislation to date, is set to be effective on Jan. 1, 2020. This law will affect the identifying information of California residents, and will require for-profit entities that do business in California and collect consumer information to comply if they meet ANY of these qualifiers:
- Has annual gross revenue of more than $25 million
- Buys shares or buys information of 50K people
- Earns 50% or more of annual income from selling personal information
Breach fines will be significant, as can be expected. Statutory damages will include penalties of $100-$750 per incident per resident, and class action lawsuits could levy fines as high as $7,500 per violation incident. A business weighing the risks noncompliance will most likely be given plenty of motivation to comply.
The goal of CCPA is enhanced information privacy. To accomplish that, several rights are afforded to California consumers. The subject of the personal information has these Rights:
- To know what personal information businesses collect about you and your children and what they do with it, including to whom they sell it.
- To say No to sale of personal information.
- To know if your information has been sold.
- To get access to your personal information.
- To be forgotten or erased from all systems.
- To no discriminatory action for not opting in.
These rights, while providing control to consumers over the proliferation of their private information, will have a significant impact on those organizations that aim to comply with CCPA. Data systems that collect consumer information must be upgraded to provide the rights listed above. These will require significant programmatic changes, or the deployment of an entirely new set of data management systems. Consider that privacy information includes the regular PII and cookies, geo location markers, and device identifiers, and you can see the complexity that is required for compliance.
Where does CCPA compliance start?
Security is not completely forgotten in the requirements. CCPA calls for reasonable measures to be employed, which could be met by leveraging one of the available information security frameworks. The CIS Controls would be a starting point, or even more advanced framework like ISO 27000 or NIST 800-53 standards would be proper.
If the CCPA applies to your organization, compliance will most likely be an enterprise-wide project. Input will be needed from legal experts, process engineers, business analysts, IT/Security engineers, and outside consultants. The requirements are not easy to meet. The cost of non-compliance will be high and, unlike their customers, privacy is not something that those who are non-compliant can count on.