On Your IBM i Radar Now: CCPA
November 11, 2019 Alex Woodie
Companies in the United States were understandably hesitant to comply with a European law dictating how they collect and use data about customers, the General Data Protection Regulation (GDPR). But American companies won’t so easily overlook the California Consumer Protection Act (CCPA), a GDPR-like law that goes into effect in 2020.
According to HelpSystems‘ 2019 IBM i Marketplace study released earlier this year, 28 percent of IBM i shops adhere to GPDR. That was up significantly from 2018 (the year when GDPR went into effect), when just 12 percent of IBM i shops followed the law. GDPR was the regulation with the greatest number of followers, per HelpSystems.
When the CCPA becomes law on January 1 and goes into enforcement six months later, don’t be surprised if CCPA displaces GDPR as the most-followed data regulation among American companies. That’s largely due to geography and the disproportionate impact the state of California has on the United States economy.
The good news for IBM i shops (and any other impacted company) is that CCPA is very similar to GDPR in many respects. At a high level, both laws seek to give consumers much more control over their own data, including how businesses can collect, store, and process personal data.
Importantly, both laws require companies to gather and maintain the consent of consumers before collecting and processing their personal data. If a business doesn’t have consent to collect and process personal data, they are violating CCPA (or at least they will be next year).
The definition of what’s personal data differs between the two laws (CCPA calls it “personal information,” but that’s just a quibble). But in general, any data that can personally identify somebody, including their name, aliases, physical address, IP and email addresses, and all manners of identification numbers (Social Security, driver’s license, and so forth) should be considered personal data or information.
In addition to bolstering the privacy of individuals when it comes to their data (or information!), both laws also contain provisions around security. While the wording is of course different between the two laws, experts say both laws essentially require personal data to be encrypted. Neither CCPA nor GDPR apply to data that has been anonymized or aggregated to the point where information about an individual cannot be drawn out of it. However, the CCPA does not apply to data that is publicly available, such as from government records, whereas GDPR requires government controllers to follow its requirements.
Both laws also carry hefty fines for violating the regulation – up to 4 percent of global revenues for violating GDPR, or $750 per incident for CCPA. The GDPR has a provision that’s become known as the “Right to be Forgotten.” The CCPA gives Californians a “Do Not Sell My Personal Information” option.
There are also significant differences between the two laws. For starters, CCPA protects data rights of California residents, and imposes new regulations on any company that does business in California, as long as it has revenues above $25 million per year. But there are exceptions to that, including if half of the company’s revenue comes from buying and selling data, or if the company processes data on 50,000 or more individuals. Non-profit organizations are also exempt from the CCPA law, but they are not exempt from GDPR. You can read more about the differences between the two laws in “Comparing privacy laws: GDPR v. CCPA,” which was published by the Future of Privacy Forum.
In a HelpSystems webinar recorded earlier this year, IBM i security experts Carol Woodbury and Donnie MacColl discussed the differences between the two laws and, more importantly, what it means to IBM i shops. MacColl, who is based in the United Kingdom, says CCPA is like a gentle nudge in the right direction, whereas he characterized the GDPR as “hitting you with a hammer.”
Just as GDPR spurred a surge of activity around data governance, security, and privacy, CCPA is expected to drive an uptick in these critical data management tasks. Considering that more than two-thirds of IBM i shops are not abiding by GDPR, it would seem there is still a lot of room for IBM i shops to improve their data management positions. HelpSystems is certainly positioned to provide a helpful “nudge” for CCPA compliance.
Another IBM i security vendor that’s offering CCPA remediation solutions is Syncsort, which acquired Vision Solutions high availability software business and has since branched strongly into security with the acquisitions of Cilasoft, Enforcive, and Townsend Security’s encryption software.
If you’re interested in learning more about how CCPA impacts IBM i, check out a webinar that Syncsort is hosting this Wednesday at 1 PM Eastern. The webinar, titled Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured, is being presented by Patrick Townsend, the founder and CEO of Townsend Security (which was not acquired by Syncsort). For more info on that webinar, click here.
ARCAD Software is also looking to capitalize on the CCPA with DOT Anonymizer, a recently launched solution that helps companies comply with regulations by automating many of the tasks involved with anonymizing data. DOT Anonymizer supports IBM i as well as many other platforms and database management systems.
IBM i shops generally are not the source of the abuses that led to these new data regulations. But IBM i shops, along with every other company that does business with one or more Californian, will be forced to comply with these new regulations, which in the case of CCPA is expected to cost $55 billion. We’re in a new era now, and data privacy and security are no longer “nice-to-haves” but requirements backed by the force of law.