The topic of compliance is on the top of the list for every organization today. Whether it’s CCPA, GDPR, NYCRR, HIPAA or a host of other acronyms, every industry is responsible with adhering and proving some form of compliance to privacy regulations.
But just because you meet compliance standards of one law doesn’t mean you meet compliance of another. At RSA 2019, a panel of privacy executives pointed out that many organizations who have met other compliance standards may have a rude awakening come January 2020 when the California Consumer Privacy Act (CCPA) takes effect. Considered to be the most restrictive privacy law in the U.S., CCPA has its own set of terms and expectations that are unmatched by other compliance standards, including the much touted GDPR.
Ruby Zefo, chief privacy officer at Uber, advised businesses to start prepping now for CCPA compliance and not just “wait and see what happens” when 2020 rolls around.
Kalinda Raina, senior director and head of global privacy at LinkedIn agreed with that sentiment saying, “If you’re have not already started, now is the time.”
There are a lot of differences between CCPA and GDPR, including references to protecting “household data” in addition to individual data. The added confusion about the interpretation of CCPA’s terms and objectives is also making it more difficult to ensure full compliance.
Many states across the U.S. are using GDPR as a template for drafting their own privacy laws. As of January 2019, at least 24 states had laws that address data security practices of private sector entities. Most of these data security laws require businesses that own, license, or maintain personal information about a resident of that state to implement and maintain “reasonable security procedures and practices” appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
No two states are implementing the same data privacy laws, which can give privacy professionals and the ISO’s a bit of a headache.
Raina said, “The challenge for anyone working in this space is to figure out what that ‘highest bar’ is and how you will comply with it and then to figure out those differences … and how are you going to operationalize that on a global scale.”
She went on to say that with different privacy laws for different institutions, individuals, businesses, and now states it seems time for a federal privacy law to supersede and incorporate all these other state laws.
To ensure you don’t have a rude awakening in January 2020, it’s time for you to learn more about how CCPA effects your business. Here are some resources to help you understand and comply with CCPA requirements: