As growing rates of data breaches and identity theft continue to make headlines, Americans are more concerned than ever about the privacy and security of their personally identifiable information (PII). According to the Identity Theft Resource Centre, more than 446 million consumer records containing sensitive PII were exposed in data breaches in 2018, an increase of 126 percent over the previous year. A survey conducted by Pew Research revealed that 91 percent of Americans “agree” or “strongly agree” that people have lost control over how personal information is collected and used by all kinds of entities. And, a full 83 percent of Americans want the government to impose stricter regulations to protect their data privacy.
One of the first significant efforts to do just that has recently been enacted in California. The California Consumer Privacy Act (CCPA) was signed into law in September 2018 and will go into effect on January 1, 2020. Modeled in many ways upon the European Union’s General Data Protection Regulation (GDPR), the CCPA is designed to give consumers more rights over how their personal information is gathered, shared, sold and protected by the organisations they do business with. The law sets a precedent that will likely continue to spread throughout the rest of the nation, so it’s worth taking a closer look at how it will affect businesses, and what they can do to ease compliance.
What Does the CCPA Do?
Much like the GDPR, the CCPA aims to provide consumers greater control over how their personal information is collected and used. The CCPA broadly defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could possibly be linked directly or indirectly with a particular consumer or household.” This can include social security numbers, driver’s license numbers, payment card data, account numbers, home addresses, birthdates and even purchase histories.
Specifically, the CCPA gives California residents the right to request that a business disclose the personal information it has collected about them, as well as disclose any third parties with whom the business sells or shares their personal information. It also gives California residents the right to request the business not sell their personal information, and the right to have the business delete the PII it has collected on them.
Who Must Comply with CCPA?
Businesses should not assume that because their organization is located outside of California, that the law does not pertain to them. The CCPA applies to any for-profit entities that both collect and process the personal information of California residents. Therefore, the business need not have a physical presence in the state – if you make sales to California residents, the CCPA may apply. Specifically, if your business meets any one of the following criteria, you must comply with the regulation beginning January 1, 2020:
- If your business generates annual gross revenue in excess of $25 million
- If your business receives or shares personal information of more than 50,000 California residents annually
- If your business derives at least 50 percent of its annual revenue by selling the personal information of California residents
Consequences for Noncompliance
Businesses that fail to comply with the CCPA are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. Perhaps more importantly, the law also provides California residents the right to sue a business if their personal information is “subject to an unauthorised access and exfiltration, theft or disclosure” as a result of the organisation’s failure to implement and maintain reasonable data security procedures and practices. The law makes it clear that businesses are obligated to meet a certain level of data security standards and risk mitigation, or they risk opening themselves up to a potential flood of litigation. With such significant consequences at stake, businesses must begin preparing now to meet compliance.
Proposed Changes to the Legislation
On April 4, 2019, a proposed amendment to the existing legislation was made by the California Assembly, which, if passed, could result in sweeping changes to the bill, making it substantially stricter and more similar to the GDPR, and pushing out the date the legislation goes into effect until January 1, 2021. Other proposed changes could come about as well, which the California Assembly will need to pass, and the governor will need to sign. We’ll continue to monitor these changes and will make every effort to update this section as new developments arise.
What Businesses Can Do to be Ready for January 1, 2020
Even if you’re one of the many businesses that has had to meet compliance with the GDPR in recent years, you’ll find that there are still some different measures you will need to put in place in order to meet and maintain compliance with CCPA. And, if you’re just beginning your compliance initiatives, you’ve come to the right place. Businesses should begin by revisiting their privacy policies and internal processes for collecting, processing and storing consumer data. Start mapping all the PII your organisation collects, and locations where it is stored. Create a data flow map to understand all the ways in which your organisation obtains consumer PII, the different types of PII you collect and share, the parties with whom you share it, current processes and technologies used to retain and secure that data, and your current data disposal practices.
Ultimately, the best way to ease compliance in any organisation is to reduce the scope. Treat all consumer PII as toxic by keeping as much of it as possible out of the business infrastructure and areas of the network where it is not necessary. Take, for example, an organisation’s contact centre. As the central hub for all customer interactions, the contact centre handles a wealth of consumer PII – from names, addresses and birthdates, to account numbers and payment card data. Businesses can reduce the scope of compliance and mitigate their risk of a data breach by using dual-tone multi-frequency (DTMF) masking, which ensures that consumers’ sensitive payment card information is never processed or stored in the contact centre’s network infrastructure.
With DTMF masking, a consumer calling into a contact centre to pay a bill, for example, can simply enter their payment card numbers into their telephone keypad rather than reading them aloud to the customer service representative (CSR) on the line. The keypad tones (DTMF tones) are masked with flat ones so that they are indecipherable to the agent. This prevents the card information from being captured on call recording systems or heard by the CSR, who could potentially write the numbers down and use them later for fraudulent purchases. The segregated data is securely routed directly to the payment processor, bypassing the contact centre’s IT systems entirely. By no longer handling, processing or storing the payment data, businesses can decrease compliance responsibility with regards to the CCPA.
By reducing the amount and type of data on hand that is subject to CCPA, businesses can also dramatically reduce the costs and complexity associated with meeting and maintaining compliance. Most importantly, it makes the organisation’s contact centre a much less attractive target for hackers, thus reducing the risk of a potentially reputation-damaging data breach.
The CCPA is a great step in the right direction when it comes to better protecting U.S. consumers’ privacy and sensitive data. As organisations prepare, they will find that many of the processes and controls they already have in place for GDPR compliance, such as descoping technologies, will help streamline cross-compliance with the CCPA. Ultimately, businesses should welcome this new law, as it will help them mitigate the risk of data breaches and strengthen their data security processes, both of which help an organisation better protect its customers and its brand reputation.