How to make sure your business is compliant with California Consumer Privacy Act – explained.

Information, in prehistoric times, was exchanged mostly in service of eating and running from things that could eat you. “Watch out for that bear!” was a particular favorite of our early forefathers. Following the advent of writing, information could be used to organize societies, spread entertainment, and transfer messages over distances and times. The writings of Confucius, Aristotle and Chaucer bore high school students to this day. The internet was far from the first medium capable of commoditizing information. Still, the processing power of computers vastly changed the volume and pathways by which valuable information traveled.

Never before has personal information been so proliferous-both out in the open and behind closed doors, at all times.  It has now become a currency. Like water or electricity, it is pervasive, near-infinite, and there will never be a time without it. However, the frequency with which that data is mishandled, misused and stolen has contributed to public resentment towards corporations. Just about every adult who has been on the internet has been subject to more than one corporate systems breach, whether they realize it or not.

It’s a Kafkaesque scenario: the individual is not at fault for breaches of their data, and is equally powerless to stop them. For companies, the situation is equally dire. One data breach might not cause Google to go bankrupt, but it certainly can cause a small-to-medium-sized business to go belly-up. In fact, it’s already happened.

In response to this lose-lose situation, progressive governing bodies have stepped up to write new rules on how corporate entities may collect and traffick user data.

The landmark legislation in this space was GDPR, the European Union’s General Data Protection Regulation, written in 2016 and implemented in 2018. GDPR, in simple terms, was designed to give ordinary Europeans more agency over how companies gather and handle their data. For example: companies have to report data breaches within 72 hours of discovery, they can no longer leverage personal information without said person’s consent, and they have to provide an option for individuals to remove all personal records from their databases (subject to certain conditions). Crucially, GDPR applies to all digital platforms European citizens use, not all digital platforms European companies make.  That means GDPR affects just about every corner of the world-even companies in Chile, Nigeria and Japan which have to accommodate this specific demographic within their customer bases.

May 25th of last year represented the final day after which failure to comply with GDPR could lead to fines for companies. The results of this international experiment are still uncertain, though it can be described in a few words: messy, yet highly effective. GDPR is the data security equivalent of tossing a live grenade into a bunker.

In the months, weeks and days leading up to May 25th, citizens around Europe experienced floods of corporate emails. Often, the emails asked citizens to opt-in to mailing lists they were already opted into, because they’d been automatically signed up at a prior date.  In a few spectacular cases, companies attempting to address GDPR ended up demonstrating their true ineptitude for data security.

Now, in the mold of GDPR, the state of California is enacting its own version of online security and privacy regulation. It’s called the California Consumer Protection Act, or CCPA. CCPA, like GDPR, has two goals: granting individuals agency over their personal data, and requiring companies to better protect that data.

Under CCPA, California residents will have the right to know what data is being collected on them, and how it’s being collected. They will also hold the right to opt in or out of such data collections, remove their information from corporate databases, and seek damages should that information be accidentally released (say, in a hack).

For data collectors servicing California residents, CCPA will require a substantial investment in data security and transparency.  For instance, within the law is a clause allowing citizens to request detailed reports on how their information is being collected and used by the companies that have it. Those companies will, therefore, need the infrastructure to actually accommodate such requests. How many already have the ability to produce a report like that?

Data collectors constantly strive to acquire more, better information on individuals. CCPA will force them to address the consequences of this practice, by protecting those subject to it.

The deadline to comply with CCPA is January 1, 2020.

Hungry cavemen had to hunt in packs; today, people share pictures of food with other people in other parts of the world, who weren’t hungry to begin with. Stalkers who once had to comb through phone books, buy binoculars and lurk around corners can now find just about any information they’d want, in minutes, online.  Furthermore, today’s companies can use digital platforms to extract previously inconceivable volumes, and types of data from individuals who may or may not know what’s going on, without much in the way of rules or restrictions.

Though the profit motive that has driven companies to build out highly sophisticated means for collecting data has not equally incentivized the protecting of that data. So, everybody has suffered. Almost every person online today has been subject to harmful privacy infringements they were powerless to stop. At the same time, most major companies have experienced embarrassing and costly security failures.

We’re far away from a world where data is collected, stored and distributed responsibly. Recently, though, we’ve started upon the right track.

 

 

About the author: 
Nathaniel Nelson writes the internationally top-ranked “Malicious Life” podcast on iTunes, hosts programs on blockchain and SCADA security, and contributes to AI and emerging tech blogs.