Notice to all procrastinators: The final countdown to the California Consumer Privacy Act (CCPA) has begun. On January 1, 2020, companies or organizations that do business in California will be required to comply with the state's strict new privacy legislation that establishes a legal and enforceable right of privacy for every California resident. The new regulations are not just for businesses based in California; they apply to all companies that do business in the state.
Like the European Union's General Data Protection Regulation (GDPR) that went into effect in 2018, California's legislation promises hefty fines for companies that violate the regulations. While many companies initially remained on the sidelines during GDPR's much-hyped launch, they are now increasingly sitting up and paying attention thanks to recent fines levied on a major airline ($230 million) for a data breach that affected 500,000 people, and a global hospitality company ($123 million) for the hacking of the personal information of 380 million hotel guests.
What Is CCPA?
In a nutshell, CCPA provides the following protections for the personal data of California consumers:
- Ownership. Protects consumers' rights to tell a business not to share or sell personal information
- Control. Provides consumer control over the personal information that is collected about them
- Security. Holds businesses responsible for safeguarding personal information
Many companies faced substantial hurdles last year in complying with GDPR. Now they need to comply with CCPA as well. And time is running out. If your business collects customer identity data in California, and you build customer profiles for personalized marketing campaigns, then be advised. The time to act is now. Or risk the potential for major fines that are sure to impact your bottom line.
Is your business or organization in CCPA's cross hairs? Probably so. You'll need to comply if you meet just one of the following criteria:
- You have revenues in excess of $25 million
- You buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices for commercial purposes
- 50% of your annual revenues comes from selling consumers' personal information
How Do GDPR and CCPA Compare?
While CCPA is somewhat different in scope from GDPR, it grants consumers comparable rights of controlling and vetoing the use of their data. Both regulations require companies to store data securely, be transparent about the types of personal data collected, and manage consumer requests for deletion of personal data (the "right to be forgotten"), which means being able to delete personal data from all systems throughout your organization. CCPA differs from GDPR in that it requires the ability for users to opt-out versus requiring explicit consent prior to collecting personally identifiable information (PII).
Additional Global Regulations
But GDPR and CCPA are just the beginning of this major global trend. Around the world, numerous privacy and compliance laws are being considered or already enacted. In the U.S. alone, legislators in nine states have introduced bills that would impose broad obligations on businesses to provide consumers with transparency and control over personally identifiable information. On the international level, the trend to stricter (and business-impacting) privacy regulations is clearly a global phenomenon that companies and organizations cannot ignore.
Examples for existing and planned data protection and privacy regulations
California CCPA (AB 375)
Hawaii (SB 418)
Maryland (SB 0613)
Massachusetts (SD 341)
Mississippi (HB 2153)
New Mexico (SB 176)
New York (S00224)
North Dakota (HB 1485)
Rhode Island (S0234)
China: Personal Information Security Specification
India: Personal Data Protection Bill
Russia: Federal Law No.152-FZ
Why the Need for Regulations?
We are all consumers. Our identities are valuable assets -- not only for the companies that collect and compile our PII, but also to us, the individual consumers who own the information and have a strong desire to protect it and not allow it to be misused.
As more and more areas of our lives move into the digital realm, personal data ends up in our profile data, ranging from name, address, phone, sex, payment information, and personal preferences, to shopping and browsing histories, and other behavioral data. The need for companies to secure and protect our vital data has increased significantly, and regulators worldwide are reacting to this need big time.
Regulatory compliance and security are major factors that add tremendously to the complexity and criticality of identity management. But that is no reason to sit on the sidelines and wait to see how the game unfolds. Identity management solutions can provide customers with transparency and control over their personal data by minimizing the data that is captured during registration and by asking for consent before processing any data. Consumers will be able to review, change and revoke their consent settings. And by providing one central repository for customer data with fine-grained access control, an enterprise-grade identity management solution can prevent the sprawl of "toxic" identity data (e.g., data that is still stored in the database after the customer has revoked consent or requested deletion). A central repository will also simplify the deletion of data in the context of "right to be forgotten" requests.
The time is now to implement proper identity management capabilities.
How Can Akamai Help?
Identity Cloud is Akamai's solution for customer identity management, providing everything companies need to enable their customers to create personal accounts and securely login on digital sites. Identity Cloud provides tools that can be used to significantly reduce privacy compliance efforts, while still providing companies with a highly secure customer profile repository and a 360-degree view of the customer. Identity Cloud offers specific capabilities and user experiences that help companies to address requirements such as consent and opt-out collection and management, personal data access rights, the right to be forgotten, data portability, and other obligations that regulations like GDPR and CCPA impose on businesses.
To request a 15-minute overview of Akamai Identity Cloud, fill out our request form.