In the Boardroom: How to Sell Your Need for GRC Tech
Let’s dive into what GRC software is and why it’s a must-have going forward.
When the General Data Protection Regulation, or GDPR, was passed in the EU back in 2016, many speculators believed the United States would soon pass a similar law of its own.
They were right, it just took a little longer than expected.
It wasn’t until June 28, 2018—a month after the GDPR officially went into effect—that the United States started playing catch-up with legislation. That measure took the form of the California Consumer Privacy Act (CCPA), a digital privacy law designed to help consumers better understand and control the spread of their personal information online.
When the CCPA officially goes into effect in January 2020, it will create the most significant and stringent regime overseeing the data collection practices of technology companies in the United States. It will also broaden the definition of what constitutes personal information, and give California consumers the right to prohibit the sale of personal data to third parties or to opt out of sharing it altogether.
The political impetus behind the law’s passage comes largely from major privacy scandals that have become headline news in recent years. These include the Cambridge Analytica incident involving Facebook user data, as well as large breaches at companies including Target, Equifax, and Marriott.
Interestingly, the law was widely seen as the lesser of two evils. The public outcry over data protection practices rallied support for a citizen-driven privacy ballot initiative that would have instituted even stricter laws on companies, assuming its passage by popular vote. In a quirk of California lawmaking, ballot initiatives are much harder to amend after becoming law, which is why lawmakers were eager to push through a bill of their own. The bill went from drafting to passing unopposed in just a week.
The CCPA grants consumers four basic rights:
“Personal information” is where the law gets expansive, and a bit blurry. In general, it is defined as information that can be used to identify a particular individual. According to the law, this can include personal identifiers, geolocation, biometric data, internet browsing history, psychometric data, and inferences a company might make about the consumer. It also provides a non-exhaustive list of examples, including “[a]udio, electronic, visual, thermal, olfactory, or similar information” as well as browsing histories, purchase orders, and education information.
Most of them.
The CCPA will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and any one of the following:
Have annual gross revenues in excess of $25 million
Receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis
Derive 50 percent or more of their annual revenues from selling California residents’ personal information
The law technically applies only to California residents, but it will most likely have much broader implications. Given California’s size and economic stature and the interconnected nature of global internet commerce, the law will apply to a vast number of companies around the world. Most major companies that deal in consumer data, from retailers to cellular network providers to internet companies, have some Californian customers. Thus the law has the potential to threaten established business models throughout the digital sector.
Most notably, companies that generate revenue from targeted advertising over internet platforms—such as Facebook, Twitter, and Google—must allow California residents to delete their data or bring it with them to alternative service providers. This restriction could extend to internet service providers such as AT&T and Verizon, which collect web browsing data and could try to use it to lure digital advertising dollars.
Some business models are at even greater risk. Data brokers such as Acxiom, Epsilon, Experian, and Oracle, for example, generate profits by collecting large quantities of data on individual consumers and selling it to third parties, such as ad networks, marketers, retailers, or any other type of interested business. These practices will be directly threatened by the law’s provisions.
Threatened companies will have two main options: either reform their global data protection and data rights infrastructures to comply with the law, or institute a patchwork data collection system in which Californians are treated one way and everyone else another. Practically speaking, given the inherent difficulty of offering a different website experience to residents of a specific state, the overwhelming majority of US companies with an online presence will need to comply.
The law stipulates that penalties will be meted out in two ways. The civil penalty for intentional violations of the Act is up to $7,500 per violation, to be enforced by the California Attorney General and subject to a thirty-day cure period.
The law also makes it easier for consumers to sue companies after a data breach, either individually or as a class. Statutory damages can be between $100 and $750 per California resident per incident, or actual damages, whichever is greater.
Multiply these figures across millions upon millions of consumers, and the damages add up quickly.
In spirit, the CCPA is very similar to the GDPR. Both emphasize broad themes such as access and transparency, apply to companies located outside their borders, and require companies to expend a great deal of effort and resources to achieve compliance.
However, the CCPA is a more limited law than the GDPR. While the CCPA is primarily concerned with consumer privacy rights and disclosures made to consumers, the GDPR extends to procedures for data breach notifications to individuals and regulators, data security implementation, cross-border data transfers, and more.
Even with these limitations, it’s a giant step for the United States, where few such laws exist. The California Consumer Privacy Act has the opportunity to become the privacy template for the rest of the nation, and potentially even spur Congress to consider federal legislation.
Companies not already compliant with the law will want to get their affairs in order sooner than later. The law includes a 12-month “lookback” period for all information that needs to be provided to customers, which means organizations really need to know what is happening with personal data dating back to January 2019. At a minimum, organizations should have a solid grip on what data they are collecting, how it is being used, and with whom it is being shared.
Becoming compliant with CCPA begins by taking a holistic look at your risk and compliance program, and addressing those areas where you may fall short. LogicGate’s Third Party Risk Management solution can help you get a handle on what personal data is being shared with or handled by outside companies and what measures they are taking to protect it, while Policy Management can help with formal documentation and communication of data management and security practices within your own organization. Finally, the LogicGate Compliance Management solution can assist with performing readiness assessments as you prepare for the new regulation.
For more on Europe's version of the CCPA, check out LogicGate's eBook below on GDPR Compliance.
Let’s dive into what GRC software is and why it’s a must-have going forward.
The excitement is building as we gear up for our third annual user conference: Agility 2022! We’re bringing…
A recession will hit the United States by early 2023. Learn what recession risk means for your business,…
Enjoy a casual discussion between LogicGate’s CEO, Matt Kunkel, and Hyatt’s Associate Vice President of Cybersecurity, Edwin Ng,…
Your board has questions. Now, you have the answers.