CCPA compliance doesn’t equal security

Written by Anna Russell, EMEA VP at comforte AG

But there are tools that can help.

This year has seen the introduction of the Californian Consumer Protection Act (CCPA), which is designed to provide residents of California increased data privacy laws. While the name suggests that it will only impact Californian residents, the Pacific state is actually the most populated in the USA. This means that any enterprise that conducts business in California is subject to the regulation. Therefore, it affects the vast majority of international corporations and US-based operations.

Crucially, CCPA will provide new rights for consumers and their personal information. This regulatory framework will hold businesses operating in California accountable to the way that they process consumer information. The addition of CCPA may be confusing for many businesses that are already struggling to comply with a plethora of established regulations such as GDPR, PCI DSS and HIPAA. However, it is very important to note that while many of these regulations share similar characteristics, there is no technique that will automatically result in cross-regulatory compliance. However, there are several tools that will help security teams achieve cross-regulatory compliance.

While complying with CCPA may seem like an additional cost and effort on the part of compliance teams, adhering to CCPA can be useful for any company, regardless of if they operate within California’s borders or not. In fact, when comparing CCPA to PCI DSS for example, there are two areas that focus on the privacy of personal information and data protection that overlap: 

  • Firstly, CCPA describes personal information to include any data that directly or indirectly identifies a particular person or household whereas PCI DSS focuses primarily on payment cardholder data. While these may seem to prioritise different forms of information, enterprises should be sure to go above and beyond individual compliance requirements and secure all instances of data.

  • Secondly, CCPA stipulates that organisations have a duty to implement and maintain ‘reasonable security procedures and practices’ to protect the personal information. While this wording may seem slightly subjective, it means that enterprises must do more than store sensitive information in plain-text dumps.

If these two stipulations are not addressed, then the Californian regulatory body will begin to hand out substantial penalties that could range in the thousands to the millions to businesses that fail to provide adequate privacy services to their customers. This is because CCPA provides consumers the right to institute civil action against businesses when their personal information is left unprotected and is subjected to unauthorised access as a result of failure to implement those ‘reasonable security procedures and practices.’ In fact, CCPA has already been cited in the recent Hanna Andersson/Salesforce breach lawsuit. While the financial numerations of this pending suit have not yet been disclosed, the fact that the media is naming and shaming culpable corporations will no doubt have a negative impact on customer relations. 

When it comes to securing this data, CCPA regulation states that the use of pseudonymisation is acceptable to preserve data from unauthorised access. Likewise, data tokenization is an incredibly useful tool when considering regulation. This is when sensitive information, such as names and financial information, is substituted with a “token” or a non-sensitive alternative. Tokenized data can still be analysed for comprehensive insight without breaching CCPA. Indeed, tokenized data, in the context of the CCPA, may not be considered to be “personal information” so long as it has been “de identified.” The fact that tokenized information affords additional regulatory compliance means that it is an incredibly useful tool for completing CCPA compliance. Also, if done properly, data tokenization can be used to secure information in accordance with PCI DSS.

Consumers who believe their rights under CCPA have been infringed can give notice to a company who then have 30-days to respond and fix the potential violation, before a class action suit is brought forward. In order to avoid this, organisations should ensure that there is clear visibility into their data processing systems. This means monitoring for unauthorised access and more critically, protecting information (especially PII and financial information) at all stages of its life, and disposing of it securely and responsibly when it is no longer needed. Indeed, even the method of data collection must be recorded in order to comply with CCPA as at any point, Californian citizens may hold companies accountable for the use of data.

Tokenized data promises to offer more intrinsic analytic capabilities, especially in the healthcare sector where information is also subject to additional regulation, going above and beyond the previously mentioned CCPA. Indeed, it can be used to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA), which stipulates how PII or PHI (personal health information) should be protected. 

Likewise, according to HIPAA, “there are restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual.” This means that tokenized information provides regulatory compliance for both HIPAA and CCPA, while facilitating the sharing of sensitive information between agencies for analytical purposes without compromising security.  

It is essential that organisations begin to deploy a data-centric security strategy and organisational measures to promote transparency and confidence to customers when it comes to their personal information. As we know, compliance doesn’t equal to security – so organisations should start securing the data itself, rather than try to build walls around entire infrastructures in a banal attempt to prevent data breaches. Complying with CCPA through data tokenization is a great step towards securing information, but it does not mean that organisations are immune.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.