Last year, the world watched as major companies were impacted by the General Data Protection Regulation (GDPR). British Airways was fined USD 230 million after hackers stole the personal and payment information of over 500,000 customers. Hotel giant Marriott was fined USD 124 million after purchasing another hotel chain whose network was not secured, resulting in the loss of data related to 500 million customers. And, of course, US Equifax was fined USD 575 million after it failed to install patches which led to customer data loss. These companies are not alone: They are simply examples of what can happen when companies are not in compliance with GDPR.
What is CCPA?
Now, however, companies have even more to worry about. The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This state-level law took its lead from the GDPR. It recognizes that people have rights with respect to how and when their data is used. They can:
- Know when their data is being collected,
- know how their data will be used,
- say no to the sale of their data,
- access their data, and
- request data deletion.
Like GDPR, it is also boundary-less, meaning that it applies to any business that processes or stores the data of California's citizens, regardless of where that company is located.
Like GDPR, it is also boundary-less, meaning that it applies to any business that processes or stores the data of California’s citizens, regardless of where that company is located.
What Will CCPA Mean to Businesses?
Beginning July 1, 2020, the Attorney General of California may begin enforcing the CCPA. This means that companies who process or store the data of California citizens must comply with the regulation, or they may face consequences and fines.
71% of companies expect to spend more than USD 100,000 on compliance preparations. This includes the cost of:
- lawyers to interpret the law and its requirements,
- operational changes,
- technology, such as new data monitoring or request management systems, and
- renegotiating contracts or seeking new vendors.
Of course, despite the costs of compliance, taking action is important. Businesses that do not comply with CCPA may face fines of up to USD 7,500 per violation. On top of this, negative publicity is also a risk for businesses who do not put measures in place to keep customers safe.
As increased focus is placed on data privacy and protection, various trends are beginning to unfold throughout the industry.
Data Privacy Trends 2020
Da der Schwerpunkt im nächsten Jahr verstärkt auf dem Thema Datenschutz liegen wird, werden sich in der gesamten Branche verschiedene Trends entwickeln. Im Jahr 2020 erwarte ich einen Anstieg der folgenden Bereiche:
As increased focus is placed on data privacy and protection, various trends are beginning to unfold throughout the industry. In 2020, I expect that there will be an increase in:
Cybercrime awareness. Awareness is two-fold. First, as headlines tell tales about lost data and careless businesses, consumers are beginning to recognize the value that their data has. They are becoming more knowledgeable about their rights and what should be expected by businesses. Second, security-related training will increase for employees, helping to make them more aware of the dangers that exist and what to do when an incident is encountered.
Privacy by design skills. Incorporating security thinking and understanding into the full life cycle will be critical for companies looking to avoid fines. From design to implementation, the user and his/her privacy will be considered. Of course, this means that developers and architects will need to work with security professionals – or gain the expertise on their own – to ensure that best practices are followed.
Compliance and prevention spending. Storing and processing data in a way that is compliant will mean that companies must invest. Systems to track and record consumer data-related requests; security incidents and their resolution; and policy documents will be needed. As mentioned above, spending will also be necessary to provide training and hire additional security personnel.
In the end, it will be interesting to watch how data protection laws develop in the United States. While CCPA is the most far-reaching law at the moment, other states have also passed data regulation laws too. It will become challenging for businesses to navigate the varied aspects of each, so I expect that in time a federal law will override each of these. In the meantime, be sure to heed the lessons learned by the GDPR roll out: Avoid fines by being prepared and managing data privacy in your company.