The California Consumer Privacy Act goes into effect on January 1, which gives Californians similar data privacy protections that the General Data Protection Regulation affords EU citizens.
In a few short days, Californians will have the right to access their personal information held by companies, to have their personal data deleted, and to opt-out of companies selling their personal information to third-parties.
Unlike GDPR, the CCPA does not wield the same massive club when it comes to penalties for violating the Act. Instead of imposing a fine for a single data breach, which could be as much as 2% to 4% of a firm’s annual revenue, CCPA would calculate the penalty based on $7.500 per affected record.
“Start doing the math on the California law, and it could very quickly get right up to the same level of fine as we have seen with GDPR,” Drew Schuil, president at Integris Software, told IntelAlley.
In a study regarding data privacy conducted by Integris Software, the financial services firms appear to have taken the necessary preparations to ensure they have appropriately addressed data-privacy concerns. Of the firms surveyed for the study, nearly all of the respondents (96%) had data privacy and awareness programs in place, while 90% of those polled also had dedicated data privacy teams. Approximately half of those teams (48%) consist of 25 or more employees, which is more than twice the size of teams outside of the financial services vertical (23%), according to the study’s authors.
The authors also found that 92% of the respondents had dedicated budgets to address data privacy issues. The majority of those polled (60%) allocated more than $1 million to their data-privacy budgets in 2018, while 28% allotted more than $5 million to their budgets.
Not surprisingly, 92% of the firms also said that they would increase their respective budgets in the coming year, with 23% of them planning to increase their budgets by 25% or more.
The numbers present an optimistic picture, but they do not tell the entire picture where approximately two-thirds of the firms (64%) access 50 or more data sources in which sensitive data resides, said Schuil.
Nearly a quarter of the respondents (24%) said that they only updated their personal information inventory once a year.
“Even more concerning is that 13% only compile personal information when audited or to comply with regulations,” he added. “It is not a matter of having a checkbox on the days that the auditor came to see the firm. If there is a data breach, have you done enough to be defensible? Have you done enough to protect individual data?”
Personal information goes beyond that of Social Security and credit card numbers to include first names, last names, email addresses, IP addresses, geo-locations, and behavioral data.
CCPA’s regulatory mandate also includes data that could be used to reverse-engineer an identity, which is a significant big data problem for the industry, according to Schuil.
“A Carnegie Mellon University study found that they could re-identify 87% of the US population with an individual’s gender, birth date, and zip code,” he said. “A study done Equifax data, which tracked 15 attributes, found that it could re-identify 99% of individuals.”
With data-collecting firms gathering more than 3,000 attributes on individuals, packaging it, and selling it, it is not surprising that 74% of the respondents felt that they were “not at all confident” or “not so confident” in their firms’ ability to accurately define what constituted personal information.
“I think this is where the industry will be caught by surprise,” said Schuil. “Even when they are collecting the information and de-identifying elements, the more mature companies realize that they have collected a lot of data on individuals.”