6 views on the impact of the pending California Consumer Privacy Act
In the past year-and-a-half, companies in the United States have watched as their European colleagues have adjusted to the impacts of the General Data Protection Regulation. Starting January 1, 2020, organizations headquartered in and doing business within California will fall under a similar law, the California Consumer Privacy Act (CCPA).
Although advocates of the new law say it will be great for protecting the data privacy of consumers, many companies under the jurisdiction may have to make significant changes to their data management practices in order to meet the new requirements.
Information Management spoke with several executives with knowledge of the new law for their take on what organizations can expect.
Great news for consumers, a mixed bad for organizations
“Although the CCPA will be good for consumers, affected companies will have to make a significant effort to implement the requirements. It will add yet another variance in the patchwork of divergent U.S. data protection laws that companies already struggle to reconcile.
“The CCPA is the first law of its kind in the U.S., and it could set a precedent for other states. And because it applies to most companies who do business with individuals residing in California, the sweeping new law promises to have a major impact on the privacy landscape not only in California, but the entire country.
“The passage of a cohesive U.S. federal privacy law, one that will preempt state laws, is gaining momentum. It has strong bipartisan congressional support, and several large companies from a variety of industry sectors have come out in favor of it, some even releasing their own proposals. There are draft bills in circulation.
“With a new class of representatives sworn into Congress earlier this year and the CCPA effectively putting a deadline on the debate, there may finally be a national resolution to the U.S. consumer data privacy problem. However, the likelihood of it passing in the very near future is slim.
“A single privacy framework must include flexibility and scalability to accommodate differences in size, complexity, and data needs of companies that will be subject to the law. It will take several months of negotiation among lawmakers to agree upon how the federal law would be implemented. While companies wait for the passage of a national privacy law and then for it to actually take effect, they must continue to monitor developments in both state and federal privacy law and adapt as necessary.”
- Wendy Foote, senior contracts manager, WhiteHat Security
The cloud adds greater challenges to CCPA compliance
“The California Consumer Privacy Act (CCPA) is set to become the gold standard in privacy, data protection and consumer protection rights in California, and maybe even the United States. It will be the first of its kind in privacy regulation within the US, similar to what the GDPR is to the European Union.
“The act allows consumers to have greater control over their data, now that data companies must comply with these new regulations. The implementation of the CCPA establishes a trend in governments evaluating and seriously considering better legislation for protecting data. It is important that all companies are committed to ensuring that personal data and privacy remain protected and used in accordance to the CCPA.
“From a cloud hosting perspective, striving to meet new compliance and privacy regulations is challenging when managing cloud infrastructures. In order to ensure you are in compliance with increasingly stringent data protection legislation, it is important that you utilize a team of professionals who can provide guidance on managing data to stay within the law.
“[For some organizations], hosting providers that have experience with GDPR and have done their due diligence around CCPA will be essential as organizations seek out the in-depth knowledge that will allow them to maximize their data usage while taking the important steps to remaining compliant.”
- Lex Boost, chief executive officer, Leaseweb USA
CCPA will be among the strictest data protection laws
“January 2020 is fast approaching and California is set to enact one of the country’s most progressive consumer data protection laws - the California Consumer Privacy Act (CCPA).
“The CCPA will require any organization conducting business in or with a California-based organization to comply with stricter data and privacy regulations.
“As more paper records become digitized into easily accessible data, complying with this new regulation will be challenging for organizations that aren’t prepared. The CCPA allows any California resident the right to access the last 12 months of data collected by an organization - and they must comply with the consumers’ request. This will prove difficult for organizations that have outsized amounts of data on paper and in physical form.
“To streamline the process, organizations will need to be efficient to become 100 percent digital with all their current and past records and offer flexibility to consumers by allowing them to view, modify or delete their data as they please.
“Organizations that have a team of digitization experts on their side who understand the technical nuances behind the CCPA will ensure that they can comply with the new regulations while operating at the same or greater level of efficiency as before.”
- Alex Feilding, chief executive officer and founder, Ripcord
Data protection best practices include storage strategies
“Data and its security are incredibly valuable to any and all organizations, and now even more so with the imminent introduction of the California Consumer Privacy Act (CCPA).
“For the best strategy to become compliant with this new regulation, a key feature of a storage solution should be data protection. Not all storage systems will protect data from integrity issues or silent data corruption. Not to mention, insufficient storage systems lack the ability to complete real-time audits for integrity checks.
“With CCPA becoming effective in the new year, it is critical to ensure that an organization's system will never overwrite an original file, and will keep the original intact so that nothing, including malware, can alter that data.
“For all organizations preparing for CCPA, seeking out storage systems that offer unmatched visibility into user activity via comprehensive audit trails, data retention, data destruction policies and more, is undoubtedly a critical change that needs to be undertaken sooner rather than later.”
- Mihir Shah, chief executive officer at StorCentric, parent company of Nexsan
Data protection should be top of mind for developers
“Following the implementation of GDPR, the California Consumer Privacy Act (CCPA) is the newest regulation expected to help organizations manage and maintain data compliance, ensuring personal information is kept safe, and not shared or sold to other organizations.
“With technology innovation growing and expanding at a rapid pace, one way IT professionals are able to abide by CCPA is by designing solutions with data protection in mind. Organizations can prepare for CCPA’s launch on Jan. 1, 2020 by setting in place an IT infrastructure that is stable and secure, with data simplicity and ease-of-use as a main focus.”
- Alan Conboy, office of the chief technology officer, Scale Computing
Analytics and reporting are key to compliance efforts
“As we approach the deadline for CCPA compliance, we should remember that a big piece to the compliance puzzle is reporting, and with the today’s advancements in IT resilience solutions, reporting should no longer be the headache it once was. If it is, then you may want to reconsider the tools you’re using.
“Your analytics should be able to provide at least a 90-day history of your protected multi-site, multi-cloud environments’ health and compliance. Furthermore, you shouldn’t have to perform more than just a couple of clicks to produce a report that proves your infrastructure is resilient and protected.
“Of all the things you need to think about in your journey to become CCPA-compliant, don’t let reporting be the piece that holds you back.”
- Avi Raichel, chief information officer, Zerto