California has finally taken steps to regulate Big Tech’s collection and handling of personal data. The new laws, which were implemented this year in response to recent major incidents involving Facebook or Google analytics leaking information without consent from users’ accounts among other things will grant those who live within the state more control over how their private info is used by these companies as well provide them with appropriate tools so that any request for deletion can be met quickly without delay.
Who needs to comply?
The California Consumer Privacy Act is a new law that will regulate how businesses handle user data.
The purpose of this act, as written on their website by the CCPA’s creators in 2020 (the year it was passed), “is to provide clarity and greater control over one’s personal information.”
It seems like they want people who live there or do business with them to have more say over what happens with their private info which makes sense.
The new laws which came into effect on May 25th, 2018 have strengthening penalties for organizations that fail to comply with them. The GDPR applied only within the European Union but now all companies operating globally must be compliant including those based in California.
The higher risk assessment criteria mean there’s more at stake should an individual decide their rights as a consumer outweigh any financial gain from obtaining personal info–you can’t just sell somebody something without knowing what they’re going to use it for.
The following companies must be CCPA compliant:
- The company has annual gross revenue in excess of $25 million, and it’s only getting started.
- The company is a major player in the industry and purchases, sells, or shares the personal information of 50 thousand people.
- The company generates at least 50% of its annual revenue from selling.
This means that if you’re going to collect personal information, then at least one of these criteria should be met. It is your responsibility as a company and an individual within the European Union (or another region) who holds this data to let people know what they are doing with it so there are no surprises down future roads.
What happens if you violate this compliance?
If you are a business in California and have been contacted by the state’s Consumer Protections Agency, it is important that your organization respond promptly with all necessary information. The new CCPA allows consumers up to 45 days after notification for verification of violations or else they may seek penalties amounting to $7 thousand per instance.
Additionally, if there were unauthorized infiltration then individuals can assert their own private right against liable parties which includes recovery damages at least equivalent value spent on security measures taken as well as any incurred legal fees associated with violation(s).
The fines for violations under GDPR are much more stringent than those imposed by the EU’s old data protection law. If you commit a gross offense, such as hacking someone else’s database or storing personal information digitally without permission from individuals who have been hacked then your company could face either 4% of global annual turnover ($20 million) in addition to any other consequences attached.
Importance of CCPA for Cloud Security:
The need for data protection is a critical component in CCPA compliance, and the cybersecurity of any infrastructure storing user information should be considered.
Poor authorization controls could result in severe penalties so it’s imperative that organizations implement better security measures to avoid fines or other consequences under this act.
The wording leaves room for what “reasonable” means which results when interpreting these regulations, however, they still must follow them just like all others who deal with sensitive material will do.
The key to improving cybersecurity is performing a risk assessment. Organizations often don’t know how, so they hire professionals who will do an audit and inventory of your infrastructure as well calculate risks analysis for input into the controls building process- once done these experts provide guidance on what needs implement first.