The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and enforcement is set to get underway in July. As businesses scramble to put compliant practices into place, some have asked for a delay in enforcement due to the pandemic. The National Law Review reports that California Attorney General Xavier Becerra will not delay enforcement, so ready or not, enforcement is coming.
The virus outbreak has significantly disrupted business operations, putting an enormous amount of pressure on companies, particularly IT departments. Millions are working from home, stretching IT resources with requests for support and access to company resources. So, what’s the best way to address the CCPA issue in this situation, with enforcement on the horizon?
Fortunately, we have a blueprint that sheds some light on what CCPA compliance will require: the European Union’s General Data Protection Regulation (GDPR). GDPR went into effect about two years ago. It was the first sweeping data privacy regulation that set rigorous standards for transparency and accountability, and it has many similarities to CCPA, as well as some differences.
Understanding CCPA obligations
The first step in preparing for CCPA is to understand your company’s obligations under the law. Sometimes called “GDPR Lite,” CCPA is less stringent that GDPR, but both regulations focus on data privacy, consumer rights and company accountability. And while the laws were passed in California and the EU respectively, they apply to any company that has customers in those regions.
CCPA creates new rights for consumers related to “the access to, deletion of, and sharing of personal information that is collected by a business.” In practical terms for businesses, this means the company has to control access to data and create an audit trail to provide proof of compliance. For products that retain data, companies need to define a timeframe, which will vary by industry.
The GDPR implementation experience suggests that developing transparent privacy policies and creating pathways to provide customer access to collected, shared or sold information upon demand can be a lengthy and expensive process. The good news is that since many companies have already found data security solutions that help them achieve GDPR compliance, they can leverage those same solutions to help them achieve CCPA compliance.
Using technology to achieve CCPA compliance technology
At their core, GDPR and CCPA (and the other data privacy regulations that will almost certainly be enacted in the coming years) require companies to regulate who has access to data, what access they have, when they have it and more. Technology plays a key role in giving companies that capability, so companies will need to deploy and/or augment existing technology to achieve regulatory compliance.
When evaluating technology that is available on the market for this purpose, it makes sense to look for a solution that combines robust data protection capabilities with easy installation, maintenance and use, and low total cost of ownership. Depending on the company’s architecture and IT resources, privileged access management technology may be needed in a cloud environment and/or in on-premises systems.
Technology with an agentless architecture can reduce IT’s burden, both in the deployment process and in future network and system updates. Privileged access management technology with a lightweight architecture that is simple to deploy and doesn’t require extensive maintenance or system changes is also important. One lesson from GDPR is that technology that does not unduly tax users’ limited resources and impact busy teams significantly improves compliance.
Another lesson from the GDPR experience is that IT leaders need to be able to set the rules and enforce policies on privacy for administrators and employees worldwide. Privileged access management technology with a single gateway and single sign-on to provide system administrator access to all eligible data provides this level of control. Strong access management functions to define and enforce a single point of privileged access, a password vault feature that secures and rotates login credentials, and a session management function that generates detailed reports are all critical for compliance.
It’s important to note that every company should study the new rules carefully and fully understand its obligations under CCPA. Rules may vary according to industry. Also keep in mind that the rules may evolve over time. But the GDPR experience offers an instructive example. Companies that find a solution that has been tested under GDPR and fulfills the more stringent data access control and accountability requirements set out by the EU will be ahead of the curve for CCPA compliance.