What the California Consumer Privacy Act (CCPA) and Similar Regulations Mean for You: Addressing IBM i Data Privacy – Part 1

This article on the California Consumer Privacy Act (CCPA) was originally published in Enterprise Tech Journal. Part one of this two part post focuses on an overview of the CCPA regulations and the responsibility of IT departments when handling data privacy regulations.

Introduction

The California Consumer Privacy Act (CCPA) gives California residents numerous data privacy rights while penalizing organizations that are in violation. The law, which takes effect on January 1, 2020, groups these rights into five general categories:

1. The right to know what information is being collected
2. The right to know how personal information is being used
3. The right to opt out of the sale of one’s personal information
4. The right to access a copy of one’s personal information
5. The right to not be discriminated against by organizations when one exercises one’s privacy rights

In addition to the above, CCPA puts pressure on organizations to protect California residents from having their personal data exposed by a data breach.

Thousands of organizations worldwide are affected by CCPA. That’s because, regardless of whether the company is located in California, compliance will be required as long as it meets one or more of the following criteria:

• Annual revenue is greater than $25 million and the organization stores/processes data about California residents
• 50% of annual revenue comes from selling information about California residents
• Personal information is collected or purchased that affects 50,000 or more California residents

Comparing CCPA with GDPR

Many businesses affected by CCPA recently made large investments to get systems and processes in place to comply with the European Union’s General Data Protection Regulation (GDPR) privacy laws. Fortunately, that investment should help those same organizations meet CCPA requirements as both regulations give individuals fairly similar data privacy rights. A detailed comparison of the two laws can be found in numerous articles that a web search will provide.

Like GDPR, CCPA mandates that data about individuals be protected against a breach, and it gives individuals the right to sue for damages should a breach expose their data and that data wasn’t encrypted or otherwise made unreadable. In addition to fines for noncompliance, the cost of these suits could be massive for an organization should thousands or millions of individuals be affected.

California: a legal bellwether for tech legislation

As the most populous state in the U.S. and the world’s fifth largest economy, it’s not unusual for California to be at the forefront of tech-related legislation that eventually triggers similar laws in other parts of the country. In 2002, California enacted the first data breach notification law, which was soon followed by 45 other states enacting similar legislation. With CCPA on the books, data privacy legislation is now pending in New York, Massachusetts, and Rhode Island, and other states are likely to follow. The possibility also exists that some sort of data privacy legislation might be enacted in the U.S. at the national level. Regardless of whether your organization needs to comply with CCPA or not, one or more data privacy regulations are likely to come your way. That’s why the time to prepare is now.

Data Privacy Regulations and the Responsibility of IT Departments

For IT departments that need to comply with CCPA or any other data privacy regulation, there are typically two primary requirements that must be met: 1) have data management and reporting technologies/processes in place that make it possible for staff to efficiently fulfill consumer requests, and 2) have sufficient data security technologies/processes in place to prevent a breach, and should a breach occur, obscure any sensitive data.

Data management and reporting technologies/processes for request fulfillment

Data privacy regulations make it critical that organizations are able to identify all of the ways in which they collect, use, sell, and share personal information. Remember, CCPA gives individuals the right to know the data that is collected about them, know how that data is used or sold, receive a copy of that information, and have that information deleted upon request. To meet these requirements, an organization must efficiently respond to these requests, which means having sound data management systems and processes. And if your enterprise uses service providers to store or process this data, your compliance efforts must also extend to these entities.

Security technologies/processes for preventing breaches and obscuring data

As if organizations needed it, CCPA stacks on yet another reason why it’s critical to properly secure data from unauthorized access. In addition to preventing a breach that could expose personal data, it’s equally critical that sensitive data is obscured; i.e., made unreadable through encryption or another technology should a hacking incident occur.

Check back for part 2, where we cover the protection of IBM i data.

To learn more about how to ensure that your IBM i installation is ready for CCPA, please download our ebook on CCPA and IBM i Data Privacy.