If you haven’t felt much of an effect from this year’s rollout of the European General Data Protection Regulation, there’s a new law out of California that tackles similar issues and has the potential to affect enterprise data center users.
Both laws make consumer privacy a higher priority by punishing companies that abuse private user data, though they approach it in different ways.
Both apply to companies regardless of where they are based, as long as they provide some service to either Europe’s or California’s residents. And both have steep fines for non-compliance.
European fines are based on the offending company’s total global revenue, while the California Consumer Privacy Act (CCPA) fines offenders based on the number of records affected by a breach or privacy policy violation, up to $7,500 per compromised record.
The European law is stricter: a company has 72 hours to determine and report scope of a breach. California gives them 30 days. European users must opt in to share their data, while California allows companies to opt people in by default while giving them the option to opt out.
But California's law goes further in two significant respects. First, consumers can sue companies if the policy guidelines are violated, even if there is no actual data breach. Second, consumers can demand to see all the information about them a company has, as well as a full list of all the third parties the data is shared with.
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law.
Additionally, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenue from the sale of personal data also fall under the law.
Organizations will have to implement and maintain security controls appropriate to the kind of data they collect, Frederik Mennes, senior manager of market and security strategy at OneSpan, said.
For data centers that means implementing multiple layers of security controls, he said, such as data encryption, data anonymization, and access control, based on strong user authentication.
The California law goes into effect on January 1, 2020. But, as a practical matter, companies need to have their data tracking systems in place by the start of 2019, since it gives consumers the right to request all the data a company has collected on them over the previous twelve months.
Large tech companies like Google and Facebook opposed the bill, which was not surprising, Kevin Bocek, VP of security strategy and threat intelligence at Venafi, said. "Controlling the privacy and personal information that flows between machines is incredibly difficult."
Companies should expect other states to follow California's lead, experts say.
"The precedence of the GDPR demonstrates that such regulations, regardless of whether they will increase security and privacy in practice, have made lawmakers and consumers worldwide understand that such standards can be set," Matan Or-El, CEO and co-founder at the security company Panorays, said. "Furthermore, it is certainly likely that similar privacy regulations will be adopted by other states."
This has already happened with breach-notification laws, he added. California started the trend 15 years ago, now most states have similar laws on the books.
But complying with the new privacy laws isn't just a technological challenge.
The law will throw a wrench into the business models of those for whom collecting and monetizing personal data is a primary source of revenue, Willy Leichter, VP of marketing for the cybersecurity vendor Virsec Systems, said.
"It’s very appealing to consumers that they can opt out of marketing lists and have their data deleted," he said. "However, it’s hard to conceive of how this can effectively work. Doing any business online requires sharing data, where it inevitably gets shared, leaked, or shipped across borders. Good luck trying to opt out and retrieve all your personal data when it’s littered around the globe.”
