nCipher Security Blog

The clock is ticking on California’s Consumer Privacy Protection Act

Cindy Provin | SVP Entrust Datacard and General Manager, nCipher Security More About This Author >

2020 will be one for the history books.

On Jan. 1, the California Consumer Privacy Act (CCPA) will take effect.

Some are calling this law California’s version of the European Union’s General Data Protection Regulation (GDPR). But, while it comes in the wake of GDPR, CCPA itself is considered a ground-breaking development. CCPA is the nation’s first statewide data privacy law. And it could very well set the direction for the rest of the United States.

Consumers Need to Take Action for CCPA to Work

CCPA was enacted in light of high-profile events involving the exposure and misuse of consumer data. That included hacks and the Facebook-Cambridge Analytica scandal. In the latter case, the research firm used consumers’ Facebook profile data to target voters in the 2016 U.S. election.

These disturbing events prompted citizens and politicians to call for laws giving people greater control of their personal data. And California’s elected officials delivered.

Under CCPA, California residents can demand that companies disclose what data those organizations have collected about them. They can request that companies delete their personal data and expect them to do so. And they can forbid companies from sharing their personal data with third parties.

The onus is on consumers to act, but businesses need to be ready to respond.

Businesses must be prepared to field data requests

Businesses that fail to comply stand to face significant CCPA fines.

Each intentional violation is punishable with a $7,500 fine. Non-intentional violations cost $2,500 each. And there’s a $750 per affected user in civil damages cost.

CCPA as it now stands applies to organizations that have annual gross revenues of $25 million or more, interact with data on more than 50,000 California consumers each year, and/or make more than half of their revenue selling consumer data. Out-of-state businesses that sell to California residents or display a website in the Golden State are covered by the CCPA, too.

If that includes your business, act fast, but don’t panic. The good news is there’s a six-month grace period before CCPA enforcement kicks in.

Americans say encryption is the best way to protect personal data

In an effort to better understand consumer views about cybersecurity and privacy on the eve of the CCPA’s debut, we did a survey. It involved gathering feedback from 1,025 Americans.

Nearly a quarter (23%) of our survey group told us that encryption is the best form of security an organization can use to protect personal data. Almost 19% said they don’t know what is the most effective way for organizations to protect consumer information. Firewall was the third most popular response to our question about the best form of security an organization can use to protect personal data; it got 17% of the vote.

Meanwhile, 11% of Americans said a unique password. About the same share said antivirus solutions are the best method. And slightly less than 7% said nothing can protect personal data.

Passwords are also helpful, but related behaviors and opinions are mixed

Good digital hygiene has been the topic of an array of media reports in recent years. Password creation and change are often key themes of these cybersecurity and personal data privacy conversations. But expert opinions on these subjects vary. And actual consumer behavior related to password creation and change frequency is mixed.

Including the current year, our personal information such as birthdates and names, in passwords is not ideal. It makes it easier for bad actors to guess your password. Yet many of us do that anyway. It helps us recall the array of passwords we need to remember.

We asked survey participants if they have ever included the current year (2019) when setting up a new password. About 69% said no. But a quarter said yes, and the rest said sometimes.

As for password change frequency, 28% of Americans said they update their passwords a couple of times annually. Less than a quarter (24%) said they do it once a month or more. About a fifth (19%) update their passwords every other month. Eleven percent do it less than once a year. And 10% admitted that they don’t update their passwords at all.

But one thing Is certain – the CCPA will drive change in the year ahead

Many people consider the new year as a unique opportunity for improvement. So, we also asked Americans about their password- and personal data security-related plans for next year.

The vast majority – 72% – said they will update passwords and practice better personal security habits in the year ahead. Only 15% said they do not plan to improve on these fronts. And just 13% said they don’t think they’ll update passwords or practice better security in 2020.

Also, 47% admitted they currently don’t know or are not aware of their online privacy rights. But many Americans clearly care about data privacy. Thirty-one percent told us they have stopped using online services from companies including Amazon, Apple, Facebook, Google, Instagram and LinkedIn as a result of their personal data concerns.

Very soon, consumers in California will have a lot more power over their personal data. Media and privacy advocacy groups are likely to help educate the public about those rights. So, a broader share of Californians, and other Americans, will become more informed on this issue.

That gives businesses another incentive to employ cyber and personal data security solutions. Organizations that invest in advanced credentialing, encryption, public key infrastructure, and tokenization will be much better positioned to comply with the CCPA, meet customer expectations, and protect their reputations and revenues in 2020 and beyond.

For more information on security solutions, please visit nCipher’s website. You can also follow nCipher on Twitter, LinkedIn, and Facebook.