As California goes, so does the rest of the country. While the California Consumer Privacy Act (CCPA), which was passed this summer and goes into effect in 2020, falls short of being an “American GDPR,” it clearly tore many pages from the far-reaching European data privacy law. Similar to the GDPR, the CCPA defines personal identifying information rather broadly, encompassing not just names and Social Security Numbers but things like IP addresses and browser cookies.

As the Feds Drag Their Feet, States Press On

Unlike the GDPR, the CCPA is not a national data privacy law. It applies only to residents of California, and only when they are physically present in California. If a California resident shares their data while on vacation in Florida, the CCPA does not apply. However, the state is an economic juggernaut that exerts influence far beyond its own borders. California is home to 12% of the U.S. population and is the world’s fifth-largest economy, surpassing the United Kingdom.

Additionally, the CCPA was passed in an era where massive data breaches occur daily, and consumers are growing increasingly concerned about what data companies are collecting on them, why, and what is being done with it. Nearly three-quarters of internet-using U.S. households have data privacy and security concerns, and at least one-third have been deterred from certain online activities due to these fears. The federal government has been slow to act on data privacy, so states have taken matters into their own hands. The CCPA, along with the GDPR, prompted a flurry of new and amended state-level data privacy legislation in 2018. All 50 U.S. states, along with Washington, D.C., Puerto Rico, the U.S. Virgin Islands. and Guam, now have data breach notification laws on the books.

If a patchwork quilt of state-level laws with varying requirements sounds like a data privacy compliance nightmare, consider this: It turns out California was only getting started with the CCPA. In September, it became the first state to pass a cyber security law specifically regulating IoT devices, requiring that all manufacturers of smart devices located in California, or those who have devices manufactured on their behalf for sale in California, equip their devices with “reasonable” security features.

Consumer anger over data privacy violations and organizational hand-wringing over the logistics of complying with dozens of different state laws (in addition to the GDPR, HIPAA, PCI DSS, and other mandates) appear to have finally lit a fire under the feds’ feet. In a September 26 Congressional hearing on data privacy, every member of the Senate Commerce Committee, Democrat and Republican, agreed with six major tech and telecom companies that a federal data privacy framework is needed. NIST has launched a collaborative project to develop a voluntary privacy framework, and in a separate project, the NTIA has published a request for public comment in the Federal Register on a set of data privacy principles to inform a domestic legal and policy approach to consumer data privacy.

Complying with Today’s Data Privacy Laws — and Tomorrow’s

Good data privacy is good business. When designing and implementing data privacy protocols and procedures, organizations shouldn’t try to skate by on the minimum requirements; look to go beyond them. Best practices to follow include:

* Develop and maintain clear, concise data governance, security, and privacy policies and procedures, and put them in writing. Because legislation, technology, and the cyber threat environment are in constant flux, periodically review your organization’s policies and procedures and update them as necessary.

* Practice proactive cyber security principles. Most data breaches and other cyber attacks can be prevented.
Practice minimal data collection and storage. If you don’t absolutely need a piece of information about a customer or an employee, do not collect it.

* Develop clear, written processes and procedures to handle customer inquiries regarding their data, such as requests to opt out of data collection or data sharing.

* Build an organizational culture of security and privacy from the top down. Ensure that all employees are properly and continuously trained on data security, governance, privacy, and compliance.

* Develop a comprehensive incident response plan, including a data breach notification protocol.

* Don’t rely on spreadsheets or other manual processes for data security, governance, risk management, and compliance. Use a GRC automation solution.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.