computer with gavel
Gabe morazan headshot Posted by Gabe Morazan September 09, 2019

How big a hurt could CCPA non-compliance bring?

When we get into cocktail hour chatter about “regulation” in business and industry, you can bet there are usually two POVs that get voiced: “There’s too much regulation” versus “there’s not enough of it.”

In the world of data privacy, it’s no longer a matter of opinion. The cold, hard fact of data privacy protection? It’s that there’s more of it than ever, and a lot more on the way.

But let’s deal with what’s in front of us, right now. And it’s truly right in front of us: Come January 1, 2020, the California Consumer Protection Act (CCPA) will go into effect. What’s the potential impact of this new set of regulations on a company that isn’t compliant?

That question should be especially important to the 45% of companies that won’t be ready when the law kicks in. And it’s a question with more than a few answers.

In the not-so-fine print of the CCPA

The CCPA explains, in part, that “a consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” Consumers can finds out what personal information a company has about them, where they got it, why they have it, and who they’re sharing it with. 

“Personal information” under the CCPA includes a broad range of individual behaviors and characteristics, and the inferences that can be drawn from that data. Just some of the scores of items on this list? Biometric data, household purchase data, family information (e.g., how many children), geolocation data, financial information, even sleep habits.

What’s key here is that Californians now have an explicit right to forbid companies to sell any of this data to third parties. And even if you’re not based in the Golden State, you’re exposed if you have employees or customers there, or if you (or an agent working on your behalf) gathers data from those customers even when they’re outside of the state’s boundaries: their residency alone gives them CCPA protection.

So if you suffer a compliance stumble under the CCPA – or a full-on face plant because you’re unprepared across the board – where and how will it hurt?

Reputational impact

In the article, “The CCPA and GDPR: Are they obstacles or opportunities?” I pointed out that “If you take a short-sighted point of view on this, you’re swimming against the tide, and you’re overlooking the fact this is a consumer movement, not a regulatory issue. So a company may miss out on the real opportunity it presents.”

In other words? In a marketplace where one of the most important currencies for consumers is trust, brands and companies that go the extra mile to earn it will reap reputational benefits that drop straight to the bottom line. But if they fail at protecting consumers’ personal data, or are even seen as disdainful of the need to defend that data or use it conscionably, they’re playing a very dangerous game. 

There’s varying evidence about whether reputational damage is truly permanent, at least in some sectors. Some companies that have seen serious data breaches haven’t sustained long-term injury, but it’s not uncommon for the people manning the executive suite to suddenly find their seats have gotten very hot, indeed. In the case of Equifax, its stock price dove from $147 per share to $90 after the breach, its CEO, CIO and CSO were all shown the door, and Moody’s downgraded its credit rating. That ex-CEO later had to occupy another hot seat – testifying in front of Congress.

The fact that these companies may not face long-term reputational damage apparently isn’t a balm to cybersecurity leaders at many companies. According to the “State of Cybersecurity 2019” report by the ISACA, most global cybersecurity professionals are certain that most companies underreport breaches or other incidents they’re required to publicly disclose, and even underreport the ones they’re aren't legally required to make public. 

A big contributor to this evasion? The reputational damage they’ve seen suffered by other companies that have admitted to breaches or mishandling of consumer data. There’s also the matter of the legal, IT, and operational costs of ensuring compliance, too, which they’d rather duck or postpone.

Aside from the damage that may come to public trust and reputation under the CCPA, the hard dollar penalties involved in noncompliance are extremely real too.

Fines and penalties

As Oksana Sokolovsky explains at Forbes, CCPA noncompliance can hit the corporate pocketbook in a big way. Her example? If people exercise their “right to be forgotten” and ask to have their data deleted, failing to do so can cost a company millions under CCPA rules, even if it’s a relatively small pool of consumers.

For instance, let’s say your firm is found to have information about 1,000 customers after they’ve requested its removal from your files. If that data is not removed within 30 days after you’ve been notified of your noncompliance, each instance could cost your company $2,500 in civil fines, for a total of $2.5 million. And if the courts find that you held onto the information deliberately, triple that amount.

Whether or not a company have done it “deliberately” is up to the courts, and that’s a crapshoot most companies would rather not take.

For companies with websites, or multiple websites, where third-party apps are firing tags and gathering data, CCPA violations are a danger they’ve got to contain. Even a year after GDPR implementation, almost 60% of apps on sites which fell under its purview were found to be sending consumer IDs to remote endpoints, according to an AdExchanger study, “regardless of where the users were located or whether they’d given consent.”

Ask British Airways whether or not the exploits of others on their sites can result in financial pain: They’ve just been fined $233 million for allowing skimming malware on their website swipe the credit card data of hundreds of thousands of customers. In BA’s case, you can be sure there was no deliberate intent involved on their part.

Inaction isn’t an option

As I said in the article, “One Year Into GDPR, Most Apps Still Harvest Data Without Permission,” only “a significant amount of collaboration” between regulatory watchdogs, the government, and app store providers can stop bad actors in their tracks when it comes to safeguarding consumer data. 

Companies, however, can’t leave this kind of cyberhygiene to external parties, especially when it comes to the CCPA. Their own inaction or lack of controls and proper process can create issues, as we’ve seen, regardless of any nastiness inflicted by third parties.

To gain a firm handle on CCPA compliance and to head off the potential costs and damages we’ve mentioned, it’s time for companies to take a proactive approach to managing their entire data privacy ecosystem, by making the right steps right now.