The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. Often compared to GDPR, CCPA protects consumers from mismanagement of their personal data and gives consumer control over what data is collected, processed, shared, or sold by companies doing business in California. I recently chatted with my friends and colleagues Dave Littman from TruthInIT and Steve Catanzano, Senior Consultant at ESG.
You can find our video chat here.
Focusing on the impact of this act on companies' infrastructure, their storage, their data protection, and their archiving, it is clear that this is a regulation that forces companies to really start thinking more about their data and reusing that data as well.
In the video, Stephen Catanzano explains, "Data reuse is important. Things like encryption, data masking, all these tools that exist today are tools that companies need to start taking very seriously to protect consumers data. And this should have a major impact on the amount of data that they store, where the data is, creating a whole level of intelligence around their resources that they have in place, and making sure that they meet these compliance...
CCPA is something that is hitting home in the California market. We think it's going to extend into other markets as well. So really focusing on data management, data intelligence is going to help companies in meeting this regulation as well as being more efficient within organizations."
I add, "In order to do business with California, you are going to have to be compliant. It's the fifth economy or sixth economy in a world...It's going to make it even more obvious for those organizations that do not necessarily deal in a lot of international business when it comes to the collection of data. It's very restrictive and it has some fines. I think it's $750 per incident per user. So if you have millions of consumers and you've done something wrong and you've been somehow you've exposed that data and it's considered to be non-compliant, you can do the math. It's going to be pretty, pretty bad."
So we know the players in the data protection space, in the archiving space, and in the storage space. As the technology stands right now, are those features and functions there to comply? Or is it going to be that these vendors are going to have to produce new features and functions to enable their customers to comply?
In closing, Stephen Catanzano sums this idea up: "It's vendor specific. Many of the vendors have gotten ahead of this already, especially with GDPR and they understand what tools need to be in place and what the process needs to be to comply. It's up to the customers to be using those tools effectively. And so they do exist, it is just a matter of policies and procedures that you need to put in place. One example is companies have the right or individuals will have the right to ask their data to be deleted. And that's a complicated problem. If you don't have all your day and organized and you know that you can go to your primary data, your backup data, your dev/ops, storage, everything else and remove that data, then you're not in compliance with the regulations. That is when you get the fines as well. So people need to know. People can ask where the data is. They can ask how you're storing it, how are you managing, why you have it, you need to respond very quickly. And then if they say you're holding it inappropriately or you shouldn't have my data, then they can ask for it to be removed. That's a big challenge for IT."
For more information on CCPA, check out our complimentary brief.