Businesses be aware: if you’re located in California or work with customers from California, a new privacy act similar to the GDPR is coming for you. This gives you just 14 months to analyze your current processes and ensure you’ll be in full compliance by January 1, 2020.
A new privacy act for California businesses
Passed by California legislature on June 28th, 2018, the California Consumer Privacy Act (CCPA) aims to crack down on how organizations handle, collect, store, and sell the personal data of California residents.
And it couldn’t come at a better time. Recent data breaches and insecure handling of personal data have led to an increase in the exposure of personal records across the United States (for example, the Facebook/Cambridge Analytica scandal in March). Public awareness of these vulnerabilities is increasing … and consumers are becoming restless.
What does the CCPA entail?
The CCPA strives to give the public control over their information by putting strict rules in place for organizations. Part of the legislature will grant consumers the right to:
- Request a list of the data that’s been collected about them
- Understand why that data was collected
- Know if that data is being sold to third parties
- Know which third parties have their data
- Withdraw consent to having their information sold
Organizations will also need to be proactive by disclosing upfront what information they collect, why they collect it, and if they’ll sell it—allowing a customer to decide if they want to complete a transaction before their information is processed. And if a customer asks for their data to be deleted, organizations will need to follow through (within reason) and pass on the request to any third parties who also have that information.
What is the definition of personal information? The CCPA is taking a broad look at "personal data." If you store any of the following data, you’ll need to disclose it: identifiers (unique and online identifiers), commercial information (records of purchases or purchasing tendencies), biometric information, internet activity (browsing history), geolocation data, professional or employment information, and many others.
Who needs to comply?
Not every business needs to comply with the CCPA—yet. As of 2018, only organizations that make more than $25 million in annual gross income; buy, receive, sell, or share the data of over 50,000 customers or devices; or derive over 50% of their yearly revenue from selling personal data will be expected to comply by January 2020.
However, it isn’t just California that needs to be aware of CCPA. Businesses outside of California that buy, receive, sell, or share the information of California residents must also follow CCPA requirements.
And even if you don’t have California customers, you’re not off the hook. Industry experts predict other states will follow suit, creating legislation similar to the CCPA, in coming years.
The penalty for non-compliance
What’s the kickback for non-compliance in January 2020? Currently, organizations who fail to meet requirements for CCPA will be fined $7,500 per intentional violation. Organizations found non-compliant but "lacking intent" will only be fined $2,500 per violation.
While this may seem like small pennies to some companies, it’s worth noting that monetary fines aren’t the only fallout seen in organizations that don’t ensure full compliance. Consumer unhappiness, distrust, and lost business can also hurt a bottom line. Furthermore, while initial penalties are enforced by California’s state attorney general, customers are still allowed to pursue private action—so the overall cost spent on non-compliance could be higher.
Move toward CCPA compliance with secure file transfers
While the CCPA doesn’t put particular requirements in place to ensure strict cybersecurity practices across an organization, IT teams are still expected to provide easily-accessible data in a "readily usable format" that’s transferred to consumers when asked. Penalties are also stricter for unauthorized access to personal data. Improperly encrypted information and poor user and role management is no longer acceptable.
According to Security Now, "the CCPA expressly paves the way for the right of natural persons to bring lawsuits for the breach of their ‘nonencrypted or nonredacted personal information’ -- even in the absence of evidence of actual damage." For organizations who want to get ahead of this and ensure all data is encrypted and protected from seen and unseen vulnerabilities, secure file transfers may be part of the solution.
If you aren’t already securing your file transfers, GoAnywhere MFT can help. GoAnywhere is an enterprise managed file transfer software that centralizes an organization’s file transfers, audit logs, user management, encryption processes, administration, security settings, and collaboration tools.
From a single interface, IT teams can ensure 100% of file transfers are protected at rest and in transit with trading partners, vendors, external networks, and cloud environments. So whether a consumer asks for their data to be securely transferred to them under the California Consumer Privacy Act or you just need a streamlined way to keep personal information protected from unauthorized access, GoAnywhere can work with you to meet your organization’s file transfer requirements.
Get the Guidance You Need to Develop an Encryption Strategy
Data breaches represent a growing epidemic. "Defending Against Data Breach: Developing the Right Strategy for Data Encryption" offers recommendations on how to encrypt, monitor, and audit the access of sensitive data.