The California Consumer Protection Act (CCPA) regulates the collection, use and transfer of personal information about California residents. The impact stretches far beyond the state’s borders, do not assume you are protected. If you do business with any CA residents or collect digital information on Californians, you could be at risk if you don’t take action.
The CCPA has four major provisions that impact businesses which have either $25 million or more in annual revenue, have personal data on 50,000 individuals or make half their revenue from the sale of personal data.
CCPA consumer rights
- Know what personal information businesses collect, how it is being used, whether it is shared or sold, and who else has access to it
- Opt-out of allowing businesses to sell information to third parties
- Require businesses to delete personal information upon request (with some exceptions)
- Receive equal service and pricing even if these rights are exercised
The California Consumer Privacy Act also allows people to sue for non-compliance or data breaches, therefore businesses must look beyond CCPA compliance and review their website security defenses to prevent data leakage.
CCPA action steps
Once basic compliance notifications are put in place, the biggest exposure that companies will have is in the case of a data leak or data breach. While businesses are not required to notify consumers when data leakage or data breaches occur, there are specific requirements for tracking, accessing and storing data. Data stored with cloud providers magnifies the potential exposure.
Companies can mitigate the damage, according to the CCPA, by maintaining reasonable security practices and procedures. The Ensighten website security solution enables the following to ensure customer data security:
- Real-time website monitoring
- Customer data and PII protection
- Automated website privacy audits and alerts
- Encryption and masking of sensitive data
- Allow and block to define permissions for third parties
- Privacy gateways
- Blocking unauthorized network calls
Protection beyond the CCPA
While worries over complying with the California Consumer Privacy Act may be top of mind right now, it’s just part of the security umbrella your organization needs. 2019 is on track to be the worst year on record for data breach activity. In the first half of the year alone, more than 4 billion records have been compromised at a rate of 52% higher than at the mid-point of 2018.
Cybercriminals are leading the charge. Ecommerce websites are being targeted by criminal groups like Magecart that inject malware into sites to skim credit card and online payment information. This group alone is responsible for more than 300,000 attacks and hacks on more than 110,000 ecommerce sites in 2018 alone.
Third-party vendors are also being targeted to bypass security measures. Once infected, malware and ransomware can make its way to companies they do business with. Last year, 59% of US companies reported a data breach attributable to a vendor or third party.
How MarSecTM provides security and CCPA compliance
The customizable MarSecTM platform allows users to create allowlists to manage third-party technologies – also enabling CSOs, CMOs and IT staff to quickly configure CCPA (and GDPR) compliance items, such as “do not sell my data” selection by geo-location, in line with the CCPA legislation.
The Ensighten solution has the features IT teams need to manage website security while providing tools for marketing teams. For example, CMOs can test styles and the order of opt-in/opt-out categories to determine the most effective way to collect information.
The flexible interface allows customization to adapt to future legislation. Data privacy enforcement and blocking reports can support your native consent experience or a third-party solution.
Beyond CCPA compliance, MarSecTM provides client-side detection and prevention of data leakage and theft for your website supply chain. It protects against website cyberattacks, including:
- Web skimming
- Magecart attacks
- Client-side keylogging
- Tag piggybacking
- Third-party vendor exploitation
- Man-in-browser attacks
Take action now
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. Use this deadline as an opportunity to review your compliance, policies and overall data security.