GDPR, CCPA, and a future of data compliance. Are you ready?

GDPR is so 2018. Get ready for CCPA, which goes into effect in 2020. The world of laissez-faire data usage is coming to an end, and businesses should be ready for more regulation in the future.

So how can you prepare for CCPA and do right by your customers, while still building a thriving, data-driven business?

What is the CPPA?

The California Consumer Privacy Act (CCPA) is the newest data usage regulation on the block. Like Europe’s GDPR, it’s strict, and broad, probably even more so. And if you do business in California, it probably applies to you. It also comes with a broad set of consumer rights, and a very tough set of penalties if your business does not comply with CCPA or suffers a data breach.

Although CCPA is a California-only law, it applies to any for-profit company doing business in California. We don’t have a crystal ball, but we’d also guess that there will be even more stringent regulations in the future, whether in other states in the USA, or in other countries around the globe.​

This presents a tradeoff for a lot of companies. Data can be one of an organization’s most powerful assets, but managing its distribution and security requires time, money, and other valuable resources. How can businesses make smart choices while navigating CCPA, and any future regulations? Let’s take a look.

Who does it impact?

CCPA applies to your business if you meet any of the following three conditions:

  • have annual gross revenue greater than $25M
  • process personal information of more than 50,000 consumers, households, or devices
  • derive more than 50% of your revenue from selling PII

We’d err on the side of saying this means nearly everyone can be affected. If 50,000 Californians visit your website and you collect their IP addresses, CCPA could apply to you.

In general, we believe this is a good time to make data security and compliance a standard part of your business now. Even if you’re a small business, data compliance only gets harder the bigger your grow.

Check out our blog post for our in-depth take on CCPA and why it will hit development teams harder than GDPR.

What data is covered?

Officially: “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

This is way, way more broad than something like HIPAA or what is generally considered personally-identifiable-information (PII), such as names, birthdates, or social security numbers.

CCPA could cover data including:

  • IP addresses
  • Geolocation
  • Employment or education

So yes, that’s very broad, and yes, you’re probably collecting that today.

So what can you do?

Humble reminder: We are not your lawyers.

If you sell user data, be sure to anonymize, aggregate, or de-identify data covered by CCPA. Also, make all of this clear to your customers, and give them a way to opt-out. We hope you already do this.

Everyone else? Whether you’re in development, test, or running internal analytics, we recommend some best practices now. We know the value of using production data, but you run the risks of data breaches and hefty fines. You could purge the CCPA-covered data entirely, but then your data isn’t realistic. It seems like a lose-lose situation.

At Tonic, we recommend using synthetic data—data that’s based on your real production data, but with all the sensitive fields de-identified in a way so that it’s no longer covered by CCPA, GDPR, or any future regulations. Synthetic data also preserves the correlations, interdependencies, and statistical properties of your production data so it feels just like the real thing.

This lets you focus on keeping your production data secure, while giving everyone else in your business the data they need without the identifying information they don’t, and you get to do all this while doing right by your customers. Win-win-win.