Blog: California Consumer Privacy Act: Data Privacy & Data Protection in the Age of Digital Transformation

California considers its own data privacy directive on the heels of GDPR.

For California, November’s midterm election is setting up to be a potential landmark event. It could be the beginning of the end for the most populated U.S. state as we know it today.

Recent reports have verified that a radical plan to divide the state with its nearly 40 million residents and 163,696 square miles into three different jurisdictions has officially landed on the Nov. 6 ballot.

While the probability of the Golden State actually splitting into the proposed Northern California, Southern California, and California jurisdictions is up for debate (it hasn’t happened since the Civil War-induced Virginia-West Virginia divorce of 1861), California lawmakers recently passed into law a bill that will immediately change the lives of Californians – and possibly start a domino effect throughout the rest of the United States.

California Consumer Privacy Act of 2018 was backed with bipartisan support on June 28 and was signed into approval on July 2 by California governor Jerry Brown. The bill forces California companies to uphold stricter online privacy laws and firmer ground when it comes to how the data of residents is collected, controlled, secured, and used by corporations.

State officials made quick work of the data discretion bill, pushing through legislation just one week after the proposal was introduced to avoid it from being added to California’s midterm election ballot in November. And despite some heavy pushback from companies like Amazon, Google, Microsoft, Comcast, AT&T, and Uber, the initial outline seemed to play favorably with the general public. The measure’s official petition garnered more than 600,000 signatures from around the state to qualify for ballot recognition.

The enthusiasm for progressive and reformed consumer data privacy comes as no surprise. With seemingly regular data breaches of major companies and the fallout of Facebook’s Cambridge Analytica fiasco, the issue of data misuse has never been more relevant.

But in reality, the domino effect of progressive data privacy regulation has already been set off in the form of the European Union’s recent General Data Protection Regulation (GDPR) ruling, and California’s data privacy law is just the first U.S. tile to fall in the wake of the EU’s sweeping measure.

What is the California Consumer Privacy Act?

With the bill signed and officially taking effect in 2020, the California Consumer Privacy Act becomes one of the most widespread online privacy regulations in the U.S., further protecting those who do not want his or her personal data shared or sold by any business connected to California. But that also gives companies, especially Silicon Valley tech firms, that oppose the legislation time to drum up changes to the law or delay fines for non-compliance.

According to one of the initiative’s campaign chair, Alastair Mactaggart, a San Francisco real estate developer, the California Consumer Privacy Act will require organizations to bear a “clear and conspicuous link” on each appropriate website homepage labeled “Do Not Sell My Personal Information.” The link must then take users to a webpage where they can opt out of having personal data sold or shared.

An organization will have to disclose where data is being sold to/shared and what type of data it collects, including home addresses, employment information, Social Security numbers, email addresses, IP addresses as well as demographic information such as gender, race, and ethnicity. Companies would also have to report how they use data for target advertising on websites and apps.

There also will be a financial incentive for companies to cooperate with the new policy, which will enact strict and costly fines in the “thousands of dollars” for those organizations that don’t comply or violate any aspect of the California Consumer Privacy Act ruling.

If this all sounds familiar, it’s no coincidence.

The Wake of GDPR

Anyone who has visited a website or checked email in the past month may have noticed a reoccurring trend: An influx of companies updating their privacy policies, terms of service, and how they use cookies. That’s all due to GDPR, which, after more than two years in an adoption phase, officially went into effect on May 25.

This GDPR order is aiming to streamline data protection regulations and strengthen protection for all individuals affiliated with the EU. And even though GDPR is a European-based mandate, it still sent shockwaves around the world to millions of non-European citizens due to how globalized everyday business has become.

As the EU continues to implement GDPR, the rest of the world is expected to follow suit. GDPR’s emphasis on respecting individual rights by giving back control and ownership of personal and sensitive information has raised the bar on data privacy standards. This type of data privacy measure is already being replicated in, among other countries, Australia, Japan, and Canada.

And the U.S. is no different in how it considers data privacy goals. In April, Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act, which follows a similar framework as GDPR in regard to obtaining consent to use a person’s information. However, the CONSENT Act, which still has many differences than GDPR, is still in its early stages and hasn’t garnered any support from Republicans.

It might come as little surprise that California is the state keeping the ball rolling on progressive data regulation in the U.S. Based on its massive population size and the booming tech industry in Silicon Valley, California is the fifth-largest economy in the world. And with such a wide scope of fiscal influence, any measure a California-based company takes on data privacy is bound to affect the rest of the country, pushing other states to implement very similar standards surrounding data discretion.

Net Neutrality

Although it’s not directly related to GDPR or data privacy, Net Neutrality is just another example of how major pieces of the digital landscape are constantly shifting. While Net Neutrality was widely believed to be a set-in-stone regulation, it has crumbled drastically under the pressure of policy amendments.

And no matter how you put it, the recent overturning of Net Neutrality is bound to be far-reaching even as the long-term effects of the change remain speculative. It, to one degree or another, will change the way that all industries, from the smallest of businesses to the largest of conglomerates, are impacted by these regulations when it comes to data throttling, bandwidth allocation, and the possibility of pay-to-play business models from internet providers.

Data Privacy in the Age of Digital Transformation

Organizations in every industry and government sector face ever-present challenges of the evolving compliance landscape. So, the appropriate technology to keep up with these constantly changing or newly established mandates is an important piece to enable organizations to build solutions that will handle end-to-end compliance.

It has been regularly reported that companies inside and especially outside the EU have found complying with all the GDPR rulings complicated, intimidating, and confusing. But the varying data privacy compliance processes for GDRP, CONSENT Act, and the California Consumer Privacy Act can be simplified with a cohesive strategy to handle the rules of today and anticipate the rules of tomorrow.

Anything an organization does with data requires processing at some level. And just about every process includes some sort of data movement and file-based integration requirement. The need to move and integrate data between applications and across business lines represents the operational essence of almost every business. So, implementing a robust and secure data movement platform that includes secure data transfer capabilities can go a long way toward meeting increasing compliance demands.

The ability to simplify, centralize, and secure data movement increases the likelihood companies will be able to comply with privacy mandates that involve processing or sharing sensitive consumer identity, health, and personal finance data. And this, in the long run, will mitigate the potential risk of a haphazard data exposure and hefty fines for non-compliance.

Key Aspects of a Data Movement Platform

Although data management is often a behind-the-scenes process that consumers rarely see, it’s still critical to every business activity. The same goes for the ability to comply with GDPR and possibly the upcoming California privacy regulation. In the face of compliance, there is a common need for companies to implement appropriate technological measures to manage, control, and govern data flows.

Equipping a business with modern technology that combines enhanced and scalable data movement and integration capabilities ensure that these routine data workflows adhere to most data protection rulings.

However, despite the prescription, it is not uncommon for organizations to grapple with identifying the challenges inherent to solving complex data integration challenges, especially across multi-enterprise digital trading environments.

Important strategic considerations are needed to plan out how to intelligently establish a secure business data transfer topography. And in order to focus on selecting and implementing a modern solution to enable regulatory compliance around the handling of data, there are five key aspects to include and several accompanying questions to ask:

File activity

What are the files the business handles?
Where do the files originate?
What does the file need to go?
Which people internal and external to the organization need to act on the file?
What information does the file contain?
What is the sensitivity level of the data?

Data in motion and at rest

Can the solution support encryption for data in motion and at rest?
Is there database independence?
Can it support a secure proxy server architecture?
Is redundant server architecture available to support failover and DR?

User permission

Does the solution support user access control?
Does the solution support LDAP?

Administrative activity

Does the solution offer:

Control and governance?
Audit trails?
Automation and rich API capabilities?
Transaction-level reporting and visibility?
Certificate management?
Nonrepudiation?
Data integrity checks?
Comprehensive transfer logging?

Integration

Can the solution enable data and file-based integration with existing systems, including:

Data storage applications, on-premise and in the cloud?
Business applications (CRM, ERP, TMS) and systems of record?
E-commerce and finance applications?

As stated earlier, businesses should expect an increase of data privacy protection directives introduced in reaction to GDPR. The California Consumer Data Privacy Act is the first toppled domino in what is likely to be a long chain reaction. And as each additional regulation passes, it will send out its own seismic waves, forcing changes in how companies need to move, integrate, and handle data in the age of digital transformation.

About Cleo

Struggling with late deliveries, lost orders, and angry customers? Cleo helps organizations take control over their supply chain integrations, automating B2B transactions and providing end-to-end visibility. Predictable revenue, happy partners, a calmer you - it's supply chain sanity, served.

Learn More