Company data security and ensuring compliance with GDPR and CCPA requirements
By Lorence Olivo
December 16, 2020
I’ve written numerous articles concerning data privacy and the lengths that companies have gone to mine and utilize personal information. There are, of course, measures that we as online consumers can take to help minimize what information is stolen from us, but there are many of us who also share the belief that this is not enough. Privacy protection has become not just a concern for individuals but also a major topic of discussion for governments across the globe. Two major pieces of legislation that are forcing tech companies to become more transparent and accountable in their handling of personal data are the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These laws are the first of what appears to be a growing effort to curtail misuse of personal data, especially in a world becoming more and more interconnected and subsequently more and more vulnerable to data breaches.
Tech companies make a lot of revenue through the collecting, utilizing, and selling of personal data. For big tech companies like Google, Facebook, and Twitter, it is only through using personal data to deliver targeted advertisements that they are able to make most of their revenue. But these new privacy laws are forcing tech companies, big and small, to make changes to how they operate and interact with their users, lest they risk massive fines or other charges. For those companies just starting out, hopefully this article can serve as a primer for learning how you can ensure your products are up to date, marketable, and striving to ensure the ethical protection of your clients in this ever-changing industry.
The Purpose of GDPR and CCPA in A Nutshell
At their cores, GDPR and CCPA are a set of important laws for privacy protection and regulation in the online space. Companies exploiting data, as reported in the Cambridge Analytical scandal, has been a growing concern and it is the intent of these laws to force companies to give people more control and transparency over the use of their data, along with making said companies accountable for securing such sensitive information from being compromised by bad actors. The European Union’s GDPR was first put into effect back in 2018 with the state of California soon following with the CCPA at the start of 2020.
What Do Each of These Laws Define As “Personal Data”
The European Union’s definition of personal data is described as information on any resident in the EU that can be used to determine their identity, directly or indirectly. This includes, but is not limited to:
- Basic identity information such as name, address, photos, id number, online username
- Online tracking data such as location, IP address, cookie data
- Health, genetic, and biometric data
- Racial or ethnic data
- Sexual orientation
- Political leaning
California’s legislation is more limited in scope of individuals, due to it only counting for residents within the state, but takes a broader approach to what is classified as “personal data” listing such information as follows:
- “Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers”
- “Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies”
- Biometric information
- “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement”
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or other similar data
- Professional or employment information
- Non-public education information
- “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes” (i.e. Metadata)
What are the key provisions in GDPR and CCPA?
In order to ensure the security of personal data, GDPR and CCPA guidelines set out specific requirements that companies must abide by and shift resources to accomplish.
The European Union states that the goal of GDPR is to place requirements and obligations on companies to follow the principles of lawfulness, fairness, and transparency. To this end, it requires that any company or organization notify and receive explicit consent from users before they can proceed to process data on them. As part of this process, a company must be completely clear in communicating to users:
- What personal data is being collected, used, and processed.
- The risks, rules, safeguards, and rights related to the processing of personal data
- How one can use their rights in regards to the processing of personal data.
- What data breaches (if any) are likely to present risks to their rights and freedoms.
In addition to these transparency requirements, the GDPR also enumerates specific rights to users, such as:
- The right to be informed that their personal data is being collected, used, consulted, and processed.
- The right to request and obtain access to their personal data.
- The right to rectify or delete personal data stored about them.
- The right to restrict what data is processed.
- The right to be able to take or transfer their data to any website or device that they choose.
In addition to these bits of legislation, companies are also required to have a Data Protection Officer (DPO) to ensure compliance with regulations in addition to a notifying the Data Protection Authority (DPA) within 72 hours of any security breach that could affect personal data.
CCPA has fewer specific requirements that businesses are required to abide by, in comparison to GDPR, but its main goal is ensuring the following rights for Californians:
- The right to know what personal information is being collected and whether said information is being sold or disclosed and to whom.
- The right to opt-out of their personal information being sold.
- The right to access what personal information is being gathered on them.
- The right to non-discrimination in terms of receiving services and prices, even if they exercise their privacy rights.
In addition to this initial legislation, this last November election saw California voters pass Proposition 24 to add further strength to CCPA. The Californian Privacy Rights Act (CPRA) was created as a response to privacy advocates arguing that the CCPA was not enough to address what they claim is a fundamental problem with existing privacy regulation and practices. CCPA operated the model of notice-and-consent in which the user had to become aware of and make decisions on how their privacy was handled. Some privacy advocates argue that what needs to be ultimately done is to place restrictions and heavier regulations on how businesses act in regard to how they collect and process data.
That’s where CPRA is supposed to come in. It imposes new requirements on businesses to protect personal information, including by “reasonably” minimizing data collection, limiting data retention, and protecting data security. It also requires companies to conduct privacy risk assessments and cybersecurity audits annually and submit them to regulators.
The individual rights laid out under CCPA have also been added to with new notification requirements for companies. It requires them to notify users that they have the right to opt out of both the “sale” and “sharing” of personal information and adds protections for a new category of “sensitive data.”
What companies are affected by GDPR and CCPA guidelines?
The European Union is the far more rigorous of the two laws in terms of the companies that are affected, requiring compliance from any company that controls or processes private data about EU citizens who live within the European Union States, even if said company does not have a presence within the EU. Specific criteria include:
- A presence in an EU country
- No presence in the EU, but it processes personal data of European
- Union residents
- More than 250 employees
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subject on a frequent basis or includes particular types of sensitive data. This kind of data includes any information that allows a person to be identified directly, or indirectly, from the data procured: a person’s name, address, user name, IP address, cookies, and more. (Which essentially means all data)
GDPR also specifies that “controllers” of data are primarily responsible for following these guidelines, with some other defined obligations being put upon those classified as “processors” of data.
The CCPA, in comparison, is far more limited in its scope of who is protected, as it only protects Californians. For a company to fall under these guidelines, it is specified that it must be a for-profit business that collects and controls personal data on California residents, conducts business in California, and meets one or more of the following requirements:
- Generate 25 million dollars or more in gross annual revenue
- Handle data on more than 50,000 people or devices
- Have 50 percent or more revenue come from selling personal data.
The Consequences of Noncompliance
While there are talks of imposing more stringent penalties on companies that fail to comply with respective GDPR or CCPA regulations, both sets of laws are primarily oriented towards hurting tech companies where it hurts most: Their wallets.
If a company is found to be operating not in compliance with GDPR, regulators are authorized to impose high fines of either up to 20,000,000 Euros or 4 percent of the company’s total annual turnover of the previous financial year, depending on which is greater. As Wired succinctly explains: “If an organization doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.”
For California residents, the CCPA operates a bit differently in how all residents are given the right to sue companies for failing to take reasonable precautions against data breaches. This right comes with the stipulation, however, that it is only the Attorney General’s office that can make sure companies comply with CCPA, something that the office states is limited due to it only having the resources to bring a few of these cases forward a year.
If the legal process can get past this part and a company is found not in compliance with CCPA, they are given 30 days to rectify the situation once notified. If they do not resolve the issue, the company will then be subject to a fine of up to 7,500 dollars per record. When you think of how many user records are often affected by a data breach, that 7,500 dollar free racks up quickly.
There is a great deal of information that is covered in each of these pieces of privacy legislation. Companies that fail to take the time and energy to study GDPR and CCPA mandates do so at extreme risk to themselves should they be found to be in violation of the privacy protections of their users. Though it is in the best interest of any company to read up on these guidelines for legal reasons, there is a larger takeaway that we should all recognize. Every day, thousands are at risk of having their personal data exploited and used in a way that could potentially cause irreparable damage to their livelihoods. Many companies have brushed these concerns aside in the past, and the data breaches we have seen as a result speak for themselves. If we are going to continue operating in this increasingly interconnected world, users or company, ensuring that there is transparency between both parties and that security is the first priority are goals that should be strived for not just for legal or economic reasons but for moral reasons as well.