Calling All Retailers – Ready or Not, CCPA Is on Its Way | Tech Law
We’re just a few short months away from the California Consumer Privacy Act going into effect. The regulation brings privacy rights to residents in California and gives them control of their personal information and how companies can use it.
Any business that sells to a California resident needs to be CCPA-compliant. For example, if a store in Massachusetts has an e-commerce site and sells to someone living in California, then both that retailer and its online counterpart need to be CCPA-compliant.
Nearly every brick-and-mortar store nowadays has an e-commerce site, and online shopping overall is on the rise. Ninety-six percent of Americans have made
at least one online purchase, according to Big Commerce.
U.S. online retail sales of physical goods amounted to
more than US$500 billion last year, according to Statista, and that figure is projected to surpass $740 billion in 2023.
Retailers that meet certain thresholds need to be cognizant of what CCPA means for them come Jan. 1, 2020. Those that neglect to become informed might find themselves paying for it: $2,500 for each violation or $7,500 for each intentional violation.
Wrapping Your Head Around the CCPA
CCPA was introduced in late June of 2018 in an effort to give privacy rights to California-based consumers. Permanent residents of the state have the right to know what personal information is being collected about them, and how it’s being used. They can request its deletion, and ultimately stop companies from collecting any further data about them.
Although often compared to the General Data Protection Regulation — Europe’s law on data protection and privacy for its citizens — CCPA’s legislation has different elements compared to its European counterpart.
With CCPA there is a greater focus on the commercial uses of data, as opposed to all forms of data processing; CCPA also functions on an “opt-out” basis, whereas GDPR consent requires an “opt-in” from the individual.
CCPA’s Potential Impact on E-Commerce
While CCPA was designed for all business types, retailers face many challenges when it comes to regulation. Since the beginning of 2018, at least 19 retailers and consumer companies were hacked —
Poshmark in August 2019;
Macy’s and, in separate incidents,
Saks Fifth avenue and Lord & Taylor in April 2018, to name a few — and likely had information stolen from them.
Many of these violations came from a third-party payment system that hackers used to their advantage. In fact, 80-90 percent of the people who log into a retailer’s e-commerce site are
hackers using stolen data, a report by Shape Security found.
No matter who takes responsibility for the breach, consumers are left with a bad taste in their mouth. Nineteen percent of consumers responding to a KPMG survey said that they
would stop shopping at a retailer that had a cybersecurity breach, even if the company took the necessary steps to remediate the issue.
CCPA will affect both large and small enterprises that process any sort of data for California residents. Businesses must comply with CCPA if they meet the following thresholds:
- Annual gross revenues of $25 million — CCPA does not specify that the revenue must be generated only in California;
- Collection of personal information from 50,000 or more California residents, households, or devices annually;
- Deriving 50 percent or more of annual revenue from the sale of California residents’ personal information.
Unless your company is a major retailer, like Walmart, you likely don’t have a sophisticated IT department. For the most part, small boutique retailers likely outsource and work with third-party firms for a multitude of needs like marketing, fulfillment, delivery and so on, or they work in the cloud. Having data seemingly “all over the place” gives bad actors a perfect avenue to go in and grab the data.
The regulation at present lacks clarity around methods of protection and the concept of de-identification (making information no longer pertain to an individual consumer or household).
‘What’s more, the law states that “personal information” excludes “publicly available” information that is lawfully accessible in federal, state or local government records. Still, how the courts interpret “personal” vs. “public” information remains to be seen.
If you think about it, almost all the information a retailer may obtain from a shopper could be considered personal: a consumer’s purchase histories, household income, mailing address, IP address and so on.
Another regulatory measure that is raising eyebrows across the security community is the “duty” of obligated businesses to maintain “reasonable security procedures and practices” that are proportionate to the sensitivity of their data.
What exactly this means can be analyzed in various ways, since “reasonable security procedures and practices in the eyes of the regulators,” remains open to interpretation.
What Should Retailers Do Now?
First and foremost, retailers should dedicate and assign a role for someone to specifically deal with and manage CCPA compliance (and security overall). Even for a smaller vendor, getting an individual in place will ensure that there is a smooth transition come the first of the new year.
The largest threat to retailers or e-commerce sites is likely a breach in security. Being able to mitigate that risk by having topnotch data security measures in place is key. Using antivirus, antispyware or encryption tools can help meet this data security burden.
Device-Level Endpoint Protection + Network Server-Based Security Software
There’s a popular misconception that by restricting an employee’s access to corporate applications to a virtual private network you have also eliminated the need to install antivirus protection on an employee’s device.
Although a VPN encrypts data flow online, including the personal identifiable information that may be accessed through corporate applications, it does not prevent the user of a device from accidentally downloading malware.
In an ideal world, every employee at an organization would have the tech literacy to recognize common attack vectors, like phishing scams, but this is simply not a reality.
Antivirus and antispyware offer a first line of defense against malicious cyberthreats that can lead to data breaches. They’re easy to implement and inexpensive, and they update automatically, requiring minimal manual maintenance.
Digital Risk Management + Governance, Risk and Compliance Measures
Through digital risk management and governance, risk and compliance solutions, organizations can streamline their compliance programs by consolidating their compliance activities into a centralized digital platform or repository.
Many organizations already have procured DRM and GRC solutions in the face of well-established compliance regulations, such as Sarbanes-Oxley, GLBA and HIPAA, but with the onset of broader-sweeping compliance laws, like GDPR and CCPA, these solutions are becoming increasingly popular.
While some elements of DRM and GRC solutions are automated, many of the supervision and monitoring duties remain human-led, meaning that organizations must hire experts to carry out this work, or outsource it to third-party partners.
DRM and GRC allow companies to align IT and business objectives while meeting compliance requirements. It’s easier to demonstrate compliance with any kind of data security regulations, as a log of compliance activities can be pulled quickly for auditors.
Encryption at Rest + Encryption in Motion
Data encryption in motion has become par for the course, with secure sockets layer certificates and VPN being near prerequisites to running a modern enterprise.
While SSL and VPN encrypt data in motion, these measures do not encrypt data at rest. Encrypting data at rest is a trickier proposition, as the physical devices that store sensitive data will not encrypt by default.
To achieve encryption at rest on data stored on physical devices, businesses need to implement full-disk encryption software solutions. As for the sensitive data at rest that is stored on the cloud, many cloud storage services, such as Google Cloud Platform and Amazon Web Services offer an encryption at rest service by default.
The downside to these services is that the encryption (cloud storage vendor) has access, and the ability to read your data. Encryption measures are low cost and relatively easy to implement. If stolen, encrypted data is irretrievable and unusable by malicious actors.
Pseudonymization + Anonymization
To fully harness the analytic potential of its data, while simultaneously protecting the PII contained within it, an organization needs to implement a data de-identification solution.
Anonymization is a data de-identification method that keeps non-sensitive data in a natural state, while scrambling all instances of PII. Since the PII is destroyed irrevocably, anonymization is considered the strongest form of de-identification.
Pseudonymization is a data de-identification method that replaces the PII in a data set with artificial identifiers, or pseudonyms, that can be reversed only by the holder of the identification key.
Since pseudonyms are reversible, organizations can continue using their PII in production environments, while keeping it protected. Tokenization is considered the most robust form of pseudonymization.
Data de-identification is the only data security measure that allows organizations to keep data protected at all states of its life cycle, including while its being processed in various production environments.
Pseudonymization solutions, like tokenization, go one step further by keeping PII completely protected, but they operate in production environments (anonymization renders PII inoperable).
Lastly, tokenized data has higher performance, and can be processed much more quickly by databases and applications than encrypted data.
Retail is the
largest private sector employer driving the U.S. economy, according to the National Retail Federation.
Industry-wide, online sales make up 10 percent of all retail sales. While Californians now have better privacy rights, come Jan. 1, retailers (brick-and-mortar and e-commerce) across the nation will need to implement changes in order to be compliant.
Dedicating a role to security is one way to start the process, and implementing certain security measures will help the person who assumes that role to succeed. It will be interesting to see how CCPA plays out, but the online shopping Wild West is sure to see a fair amount of change.