Too often, companies treat privacy policies as a compliance cost.
But companies can transform compliance into a competitive advantage and selling point—rather than view it as a legal obligation.
This article was originally published on the Delphix website here March 05, 2019.
Ever heard someone joke, ‘Facebook knows more about me than my best friend’? It’s a comment that may appear to imply indifference, but underneath it is a growing concern from consumers about how their data is used by companies and governments.
In response to a wave of high-profile data breaches, California recently enacted the nation’s toughest privacy law, California Consumer Privacy Act (CCPA), to support the growing desire for personal data protection. While the CCPA went into effect on January 1, compliance from companies has been off to a slow start. Some are taking advantage of the gap in enforcement— which won’t formally begin until July—while others already consider themselves to be in compliance.
In meeting compliance standards, companies not only avoid the penalties of noncompliance, but they can also leverage privacy to build trust into the organization’s core values and demonstrate respect for its customers.
Privacy should be core to every IT leader’s mission as they steer their companies through digital transformation. Doing so starts with understanding what personal data is covered by CCPA—and ensuring privacy and security measures to protect that data are sufficient.
The Letter of the Law
The CCPA defines “personal information” as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The new law stipulates a specific list of qualifying personal data as a guide:
- Identifiers (name, SSN, email address)
- Customer records information ( includes things like insurance information, credit card number)
- Characteristics of protected classifications under California or federal law (specifically: race, religion, sexual orientation, gender identity, gender expression, age)
- Commercial information (purchase histories and consumer tendencies)
- Biometric information (facial recognition, voice recognition, etc.)
- Internet or other electronic network activity information
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
- Inferences (i.e. information conjectured based on any of the above data—like guessing someone’s political affiliation based on their demographics)
This definition is much more broad than most U.S. privacy laws—so much so that it even addresses what future types of data companies might be able to collect (e.g. olfactory information). That means the companies already handling consumer data have a lot to secure—but it also implicates companies that might not consider that they have personal data to protect.
“Everything we do in the digital realm—from surfing the web to sending an email to conducting a credit card transaction to, yes, making a phone call—creates a data trail. And if that trail exists, chances are someone is using it—or will be soon enough.” –Douglas Rushkoff, author of “Throwing Rocks at the Google Bus”
For example, say a transportation agency monitors its buses to ensure schedules are accurate and adjust routes depending on traffic conditions. The data is relating to the buses, but does allow monitoring the performance of drivers and checking whether they respect speed limits, follow appropriate itineraries, and more. It is therefore “capable of being associated” and can “reasonably be linked” to the drivers and could be deemed personal information under CCPA.
The law also makes it much more challenging to use personal data because one set of data could be claimed by multiple parties. For example, drug prescription information can be considered personal information both about the patient and the physician who prescribes it.
More Data, More Connections, More Risk
The best approach to CCPA compliance, therefore, is to ensure sensitive data across all systems, especially downstream environments, are secured. While most companies have a tight lid on their production environments, they have less control of their non-production environments—which contain copies of production data for use in development, testing, and quality assurance purposes. Downstream systems are less secure network environments that many people have access to—which opens companies up to corporate espionage, sabotage by competitors, and, yes, theft of private consumer data.
This is imperative as the amount of data companies collect grows, regardless of size or industry, and especially with the rise of IoT, the growing use of biometric data for identification purposes, and more. When it comes to data security in the cloud, a common mistake is assuming cloud providers have appropriate security measures in place. In fact, one study revealed only a third (32%) of organizations employ a security-first approach to data storage in the cloud. Changing tactics is necessary because in the event of a breach, the business—not the cloud provider—is on the line.
Compliance Today, Competitive Edge Tomorrow
Data masking is the method of protecting sensitive data by replacing the original value with a fictitious but realistic equivalent. But to be a truly reliable solution, your data masking tool must maintain referential integrity in a manner consistent with the unmasked data and ensure the original protected data is not recoverable from the masked data—but the reality is, many are not.
De-identified (or masked) data is only compliant with the CCPA under the stipulation that businesses implement “technical safeguards that prohibit re-identification of the consumer to whom the information may pertain.”
Each day, more personal data floods the internet: from browsing histories to personal photos, even our treasured memories—as seen in Google’s recent Super Bowl ad, where Google Assistant helps a dementia patient remember his late wife.
By strengthening compliance regulations today, companies can position themselves to earn consumer trust and brand loyalty. Privacy will also become a competitive advantage as the CCPA and future data privacy regulations are enacted and enforced. Companies that comply will be prepared for these eventualities and avoid CCPA violations that could result in fines or costly litigation—not to mention the costs of an actual data breach. By prioritizing compliance today, companies have the opportunity and latitude to embrace data to support innovation and growth in a world where every company is becoming a data company.