The European Union’s GDPR compliance mandate has radically changed the way the world thinks about data security, data privacy, and identity in the modern age. For the time being, it only affects enterprises, including enterprises based in the U.S, with customers in the EU. However, the California Consumer Privacy Act (CCPA) might change that.
What is the CCPA? How will it affect your enterprise? What do you need to do to prepare? We spoke with Cory Cowgill, Chief Technology Officer at Fusion Risk Management, for more information.
Here’s our conversation, edited slightly for readability:
Solutions Review: The California Consumer Privacy Act (CCPA) will come into effect on January 1, 2020. What are the biggest takeaways for enterprises about this new law?
Cory Cowgill: On June 28, 2018 the California Consumer Privacy Act (CCPA) was passed and signed into Law by California’s Governor. With an effective date of January 1, 2020, this gives businesses that have customers in California a little over one year to be prepared to comply with these obligations.
As anyone who has been required to meet the standards of the European Union’s famous General Data Protection Regulation (GDPR) can attest—meeting these extensive privacy regulations is a very involved, detailed and, at times, confusing process. Many enterprises doing business in the EU are still working on meeting GDPR obligations, even though it went into effect this past May. The most important action that companies doing business in California can do is start preparing immediately for CCPA. January 1, 2020, will be here before we know it. If planning doesn’t start now, organizations will be scrambling later in 2019.
SR: What is the impact CCPA on enterprise data retention and security? How do enterprises currently handle data retention?
CC: Companies that underwent a GDPR program, and have implemented procedures and processes to meet this obligation, will be in excellent shape for the CCPA.
However, many U.S.-based companies that thought they would not be impacted by GDPR are now in the position where it will no longer be optional to comply with these privacy obligations, now that CCPA has been passed in the United States. As California is the largest state by population in the U.S., almost all businesses of scale have at least one customer there.
SR: How does CCPA compare to GDPR? Will GDPR compliance suffice for CCPA compliance? How many enterprises are ready for CCPA compliance?
CC: The CCPA has many of the same principles as GDPR. These include the right for consumers to know what data companies have on them, how that data is being used, the right to delete that data, and the obligation of the business to appropriately safeguard that data from a data breach.
GDPR was really only the first drop in what will soon be a flood of data privacy regulations in the U.S.—at both the state and federal levels—and throughout the rest of the world.
New data privacy regulations will certainly not end with CCPA.
A Janrain survey found that 69 percent of American consumers would like to see privacy laws like GDPR enacted in the U.S. When asked which of the GDPR provisions they’d most like to see enacted, 38 percent responded with the ability to control how their data is used while 39 percent favored the “right to be forgotten” rule, which allows individuals to make a written request to have their data deleted by companies that are storing it.
I would say that there are many companies out there who are not ready for CCPA. That is based on the lack of preparation among enterprises after GDPR went into effect. Organizations should take a lesson from the issues that were inherent in GDPR preparation, and work to avoid those when getting ready to comply with CCPA.
SR: What do you recommend enterprises do to prepare for CCPA?
CC: Enterprises can ensure they meet these obligations, and future privacy obligations by investing in a risk management system to run their privacy programs. A comprehensive system will provide the scalability, consistency, and security that is required to meet these ongoing obligations. They must be able to track all elements of their preparation—who is responsible for which items, when deadlines are coming up, who is collaborating, etc. A full risk management program makes this much easier to manage and control.
One survey, conducted by law firm McDermott Will & Emory and the Ponemon Institute during the weeks leading up to GDPR going into effect, found that 40 percent of respondents said their companies would not be compliant until after the deadline, while 52 percent of respondents said their organizations would be ready by that date. The remaining eight percent said they weren’t sure when their organization would be compliant.
This is largely due to the fact that companies could not efficiently track and manage the entire process of meeting GDPR’s guiding. Companies do not want to be similarly unprepared when CCPA goes into effect. Again, I would highly recommend starting preparations now—and doing so with a tool that keeps the process as streamlined as possible.
Thanks again to Cory Cowgill, Chief Technology Officer at Fusion Risk Management for his time and expertise.
- The 32 Best Identity and Access Management Platforms for 2018
- How IAM Solves Onboarding and Offboarding Challenges
- IAM vs CIAM: What’s the Difference?
- The Current State of Biometric Authentication in IAM
- Comparing the Top Identity and Access Management Solutions
Latest posts by Ben Canner (see all)
- The Key Criteria for Your Business Identity Platform - February 21, 2019
- Key Findings: KuppingerCole’s Access Management and Federation Leadership Compass - February 20, 2019
- Identity Security Risk Mitigation for Enterprises: The Basics - February 19, 2019