The start of the New Year brought the first strict, wide-sweeping privacy law to the United States, and some organizations are trying to figure out what its affect will be on organizations and how they will comply.
“California’s new privacy law is the first of its kind in the US, and practitioners need to be aware that keeping data private and using due diligence are going to become priorities as the implications of the law become clearer,” said Barbara Rembiesa, President and CEO of the International Association of IT Asset Managers (IAITAM). “Those organizations that do business in the EU, UK or Japan already have experience with similar privacy laws. But this will be the first experience for organizations that do business only in the US and, at the time being, with customers in California. Relying on IAITAM’s 12 Key Process Areas (KPAs) is going to be critical for those new to these types of regulations.”
For IT Asset Managers, new privacy laws can present a series of challenges for IT Asset Management (ITAM). In addition to using core KPAs – such as Policy Management – to ensure their customers are following the new legislations, practitioners will need to rely on Legislation Management, Compliance Management and Communication & Education Management to make executives and employees aware of what an organization can and cannot do to remain compliant.
Such laws relate in some way to all KPAs. Vendor Management will become even more important to validate that primary vendors and their down-stream vendors are following the law. Documentation Management will become important to create a paper trail and Disposal Management will require scrutiny to ensure data is destroyed properly at the end of an IT asset’s useful life.
But exactly what the needs will be, and how IT Asset Managers will respond to the California law, remains to be seen.
Behind the Law
The California Consumer Privacy Act of 2018 (CCPA) went into effect Jan. 1. California Attorney General Xavier Becerra said the state will not start enforcing the new law until July 1. But organizations that store and share public data already are scrambling to figure out what they will need to do to comply – and what it will mean if they do not.
The scenario should sound familiar. The CCPA is similar to the EU’s General Data Privacy Regulation (GDPR), which went into effect last year. The European law already has fined companies millions of dollars for violations. Violations in Europe have included lack of due diligence in how companies, such as Marriott, have handled customer data.
The California law applies to companies that have at least $25 million in revenue and make half of their money selling data or gathering information on at least 50,000 consumers.
Moreover, organizations that do not comply with CCPA face fines of $7,500 per incident. And while several major companies – including Redmond, Washington-based Microsoft, which was in favor of the act – said they intend to comply, others have been critical that state-by-state legislation will make compliance more complicated than a federal privacy law that would protect the entire US.
California’s law was designed to prevent incidents such as the Cambridge Analytica scandal. It also would prohibit organizations from selling personal information to other companies when individuals have asked them not to sell it. For example, when 23andMe gave user data to pharmaceutical company GlaxoSmithKline, those using 23andMe were unaware that their data was being collected and sold and did not have an option to opt-out. CCPA aims to mitigate that possibility.
The law states that consumers have a right to know what information an organization collects about them, give them a copy of that information and delete the information at the customer’s request. Additionally, CCPA requires websites to include a link on their homepages so users can choose to request that their personal data not be sold to third-party entities.
Although the law specifically applies to California residents, other states are considering similar laws. Furthermore, some organizations that do business with those who live in California have decided to make their changes for everyone – not just those who reside in the Golden State.
Fight for Compliance
Organizations also have been split about which are required to follow the law and whether they intend to apply. Mozilla, which owns the website browser Firefox, said Jan. 2 that it intends to allow users to delete their data that the company collects. The new browser that will allow this option is scheduled to roll out Jan. 7.
The importance behind Mozilla’s decision is that the company will not produce two separate browsers. Although the new version of the browser has been created to respond to the CCPA, it will be available to anyone who uses the software service to access the internet. Software-giant Microsoft also said last year that it will extend its changes to customers outside California. Other companies are expected to follow their examples.
But other major companies have said the law will not apply to them. Google and Facebook – both of which are based in California – said they are exempt from the law because they do not sell the personal data they collect. Instead, they said they collect data to improve customer experience and to show ads relevant to their users.
But how well that will play out in potential litigation as the effects of the law begin to present themselves remains unknown.
A More Private World
Since its inception, the internet has been virtually unregulated and personal data storage on servers and cloud-based systems was more of an afterthought. But as data breaches and selling personal data has become more common, the collection and use of electronic data has begun to change worldwide.
California’s new law likely will be repeated not just in the US, but in other parts of the world that are not yet ahead of or with the curve of changes.
IT Asset Managers – especially Legislation Managers – will need to be prepared to work with their Legal departments to determine how these news laws will affect their programs, processes and projects. They also will need to keep their eye on violations, fines, the reason for the fines and what courts ultimately say about them. In 2020, the IT Asset Manager will take on more responsibilities and become more involved in protecting consumer information.
References: Spring, T., & Spring, T. (2020, January 2). California Adopts Strictest Privacy Law in US. Retrieved from https://threatpost.com/california-adopts-strictest-privacy-law-in-u-s/151497/.
 Bill Text. (2018, June 28). Retrieved from http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375.
 Holmes, A. (2020, January 2). A new law gives you the power to tell websites not to sell your personal data. Here’s how to exercise your rights. Retrieved from https://www.businessinsider.com/new-law-ccpa-privacy-tell-websites-not-sell-personal-data-2020-1.
 Gonzalez, O. (2020, January 2). Firefox will let users delete collected data thanks to California’s new privacy law. Retrieved from https://www.cnet.com/news/firefox-will-let-users-delete-collected-data-thanks-to-californias-new-privacy-law/.