California’s Consumer Privacy Act (CCPA) went into effect on January 1, 2020. California is the most recent jurisdiction to add privacy legislations, but it will not be the last.
More than 40% of Americans live in a state that is considering privacy legislation and U.S. senators from California are proposing U.S. Federal Privacy legislation. Internationally, Brazil, China, Australia, India, Japan, and, of course, Europe (GDPR) all have or have proposed privacy legislation.
It can be a full-time job keeping track of the many nuances of all these laws. As details about CCPA began to come into focus, I spoke with numerous security and privacy executives who found themselves wrestling with a bit of confusion. Some lawyers interpreted early drafts of CCPA to prohibit Loyalty Programs, though that appears to have been clarified in later drafts.
Other executives worried about balancing their customers’ newfound right to “be forgotten” with other regulations mandating that customers “be remembered”, so they could be updated in the event of a product recall. It has most certainly been a confusing and often stressful process for privacy, legal, and risk teams to track.
While many of the privacy regulations are similar, there are nuances specific to local regulations. There are still some steps that can be taken to make it easier to comply with evolving regulations.
Stop the Sprawl of Toxic PII
Most organizations architected their customer Identity storage infrastructure years ago to meet the needs of the business before the current era of increased focus on maintaining customer’s rights to data privacy. This often led to significant sprawl of customer PII, often to many databases storing customer identity data.
One Global CISO I’ve worked with recently explained that he has nearly 100 databases that store customer Identity. He determined that his first step on the path to protecting customer data and engineering workflows to comply with regulations was to centralize his customer identity storage infrastructure into a single identity management system that provided excellent global performance.
It would be easier to architect the appropriate workflows applicable in each user geographically (right to be forgotten, right to opt-out of sale of personal data, etc.) based on a single identity store than trying to engineer those work flows across a sprawling series of data stores.
Implement Least Privilege Access to customer PII to your Third Party Partners
Most organizations operate in a dynamic environment where they leverage a significant number of third parties. The marketing department, in particular, often turns to third parties to improve the effectiveness of omni channel marketing campaigns.
Similar to the sprawl of PII within an organization, historically organizations often shared excessive levels of data about their customers with third party partners. If you have not already, now is a good time to audit the level of detail that is provided to third party partners and limit that access down to the minimal level of detail required to perform a function.
One approach would be to provision API access to the central data store with the API enforcing least privilege access to each third party, and also enforcing user-consent workflows. As a user exercises their right to have a bit of their personal data forgotten, that workflow could extend to the third party as well.
Criminal Interest in Privacy Legislation
Hopefully the increased focus on managing customer PII will continue to drive focus to good practices that not only improve privacy, but also safety. The criminal response to GDPR has been interesting to observe as not long after GDPR went into effect, some criminals attempted to exploit the famous penalties called out under GDPR by attempts to extort money from victim organizations.
In one early example, an attacker took over a number of consumer banking accounts via credential stuffing. Rather than monetize their success by selling access to the accounts or attempting fraudulent transactions, the attackers resorted to extortion. The threat that was presented to the banks was that the attacker would publicize the breach and expose the bank to a potential GDPR fine if their extortion demands were not met.
More recently ransomware attacks have moved past encrypting data and demanding money for its release, to exfiltrating data and threatening to publish it if their extortion demands were not met. Part of their threat is the risk of fines from GDPR. I’m not aware of any fines resulting from these attacks, but it is an interesting development to follow.
Business Opportunity resulting from properly protecting user Privacy
Evolving privacy legislation isn’t all bad news for the business. According to studies, consumers do want to be recognized online and provided with a personalized experience. This comes with a significant catch, as consumers report that they will be more reluctant to do business with brands that fail to protect their personal data.
UK customers report that they are more willing to share personal data since GDPR has gone into effect because they feel it will be better protected. For businesses that can properly protect customer data, this represents a potentially tremendous opportunity.
Privacy, risk, and legal teams can expect to face additional privacy regulations in 2020 and beyond as this trend of increased privacy legislation shows no sign of slowing down. It will continue to be a challenge to keep up with the nuances of each new law, but laying a solid foundation for the management of customer identity and PII will make compliance an easier task to manage.
Businesses that are able to effectively manage their customer identity safely and effectively will be afforded the opportunity to engage their customers in personalized omni channel interactions in ways that enrich the customer experience and drive loyalty.