By Jason Patel, CTO, Ensighten
Most enterprises have scarcely caught their breath following last year’s GDPR go-live date in Europe, and already the drumbeat of questions around a new piece of consumer privacy legislation is picking up pace: What is the California Consumer Privacy Act (CCPA)? Does it affect us? What do we need to do to be compliant when it goes live on Jan. 1, 2020?
As with GDPR, we can expect to see a scurry within organizations in the six months leading up to CCPA’s effective date, as this complex regulation requires a number of changes when it comes to how organizations handle consumer data. But there’s a problem: Companies are not yet fully cognizant of the full spectrum of risk, when it comes to how consumer data is collected on most companies’ websites. This limited awareness amounts to blindspots, which as it stands, make it hard for organizations to knowingly, wholly comply with CCPA.
A Spotlight on Consumer Control
To understand the challenges companies will face in complying with CCPA, it’s useful to understand the overall intention of the legislation. In general, CCPA is designed to enhance privacy rights of California residents by imposing obligations on businesses that collect or share consumers’ personal data. Under CCPA:
- Businesses that collect personal data must disclose what categories of personal data are being collected, as well as the consumers’ right and means to request deletion of their collected personal data
- Businesses that share or sell personal data must:
- Disclose that they do so, as well as the consumers’ right and means to opt out of sale or sharing of their personal data.
- Upon request, disclose the information that they sold or disclosed, for what purpose, and to whom.
As you can see, CCPA requires organizations have a deep understanding of exactly how they are collecting and using consumers’ data, and that can be a challenge, especially in large enterprises. But, what’s particularly challenging is the identification of who else has access to the data collected through a company’s site—and what they’re doing with it.
Understanding Unauthorized Data Access
Under CCPA, organizations are responsible for any and all data collection that occurs via their digital properties. Internal coordination and communication typically enables organizations to get a handle on how the companies themselves are ingesting and managing consumer data. But what about third parties?
Websites rely on third-party vendors to deliver critical functionality, including payment processing, customer log-in, registration services, chat capabilities, social media functionality and customer tracking for advertising purposes. While these features are necessary for meeting customer demands in today’s digital ecosystem, each one can enable third-party exchange of consumer data—and not just with the third-party vendors themselves.
In the course of any given vendor integration, tagging comes into play and therefore risk. Without getting too specific, it’s safe to say that, dozens or even hundreds of tags may be placed on a site. Companies must be able to identify and report that data collection to avoid breaching the terms of CCPA. So, how can a company ensure it has a full view of risk factors?
Improving Transparency, Shoring Up Vulnerabilities
In the ramp up to CCPA, companies need to be putting systems in place that help them not only pull back the curtain on unauthorized data access, but also shore up points of potential data breach and leakage. Here are areas that require special attention:
- Understanding and control of data access: Companies should seek a real-time view of third-party technologies on all digital properties. These insights need to include all third- and fourth-party points of access, both authorized and unauthorized. Companies must also be able to block access to unauthorized and undesirable parties by default, which can be achieved through the use of a whitelist.
- Consent and enforcement: Consumers must be able to access and request deletion of their personal data and opt out of its sale at their discretion. A business must provide methods, such as posting a “do not sell my data” request link on the website, to enable consumers to opt out of sharing of their data.
- Disclosure of data collection: Consumers must have the right to know whether their personal data is collected, sold or disclosed and to whom. Data collection includes any buying, renting, gathering, obtaining, receiving or accessing any personal information by any means, whether actively or passively. A business must provide methods such as posting a “delete my data” request link on the website to enable consumers to request deletion of their personal information. Without a full view of third-party technologies across all their digital properties, many companies will struggle to wholly comply with requests for access or deletion.
While coming into compliance with new privacy regulations can be daunting, the process also represents an opportunity for companies to bring themselves into alignment with best practices for customer data security. After all, GDPR and CCPA are just the beginning. Consumer data privacy concerns aren’t going away, and future legislation is likely to get stricter. Now is the time to put in place a foundation that not only brings a company’s data practices into alignment with current regulatory requirements, but also future-proofs the organization against future developments and potential costly data breaches and leakage.
The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.