The California Consumer Privacy Act (CCPA) is a California data protection law that went into effect on January 1, 2020 and began enforcement on July 1, 2020. The goal of the regulation is to ensure that companies operating in California and processing the data of California citizens properly protect that data and provide certain rights to data subjects.
The requirements of the CCPA are fairly strict, and the California Privacy Rights Act (CPRA), a current ballot initiative scheduled to be voted on in November 2020, will build upon and expand the requirements of the CCPA if passed. Achieving, maintaining, and demonstrating compliance with the regulation can pose a significant challenge for affected businesses.
However, the requirements of the CCPA and CPRA only apply to data that can be used to uniquely identify an individual or household. Efforts to anonymize data, such as the use of tokenization, can help to reduce the burden that CCPA places upon businesses.
CCPA is More Than Just Subject Rights
With the CCPA – and similar privacy laws such as the EU’s General Data Protection Regulation (GDPR) – the main takeaway that people have is that these laws dramatically expand the rights of data subjects regarding their personal data.
In the past, companies could collect, store, and use their customers’ data more or less with impunity. Consumers largely lacked visibility into what data was being collected and how it was used. They also often lacked a means of pushing back against “inappropriate” use of their data.
CCPA (and GDPR before it) have changed this. Within their jurisdictions, data subjects have the right to be informed of data collection and process, to request a copy of their data, to withdraw consent for certain processing activities, and to instruct a company to delete all data that it has collected about them.
However, while this is a significant change from the status quo, it is not the only purpose of the GDPR and CCPA. Both of these laws are also designed to protect the privacy of customer data from external parties by forcing companies to properly protect this data. By requiring a company to put certain cybersecurity controls in place and reserving the right to levy significant fines for security incidents or regulatory noncompliance, these laws incentivize organizations to have strong cybersecurity and reduce the probability of a breach of sensitive consumer information.
The Challenges of CCPA Compliance
The CCPA is a step in the right direction and is generally a positive move for consumers. However, the need to comply with the requirements of the regulation places a significant burden upon affected businesses.
In order to maintain compliance with the CCPA, an organization must have:
Complete Data Visibility: Companies must know where protected data is in order to respond to a subject’s rights requests or detect a potential data breach
Full Data Control: Companies must be able to modify or delete customer data in order to comply with a subject’s rights requests
Comprehensive Data Security: Companies must have compliant security controls in place to secure protected data wherever it is located
While achieving all of these requirements within an organization’s network is possible, it can be difficult. Also, even the best-designed security still carries the risk of a data breach. Minimizing this risk requires minimizing the footprint of sensitive and protected data on an organization’s network.
Tokenization Enables Effective Data Anonymization
The requirements associated with the CCPA only apply to data that can be uniquely identified as belonging to a particular individual or household. Data that has been properly anonymized or deidentified does not carry the same requirements, making it easier for organizations to manage without violating regulatory requirements.
Most applications within an organization do not require access to protected data. A unique identifier for a user is as effective as a name or email address and does not carry the same impacts if it is breached. Similarly, a user’s address and financial data are only required by shipping and billing departments.
Tokenization enables an organization to replace protected data with unique tokens that can be formatted to fit the needs of a particular application. Since the mapping from a token to the actual data is only stored in a single database, it is useless to an attacker without access to this database.
This enables an organization to focus their data protection efforts on a single location in the network, rather than everywhere that a user’s personal data could be stored or processed.
Leveraging Tokenization for CCPA Compliance
Compliance with the CCPA and other data protection laws requires organizations to reconsider how they implement data collection, processing, and storage in their networks. Under the new rules, consumers have many more rights regarding their personal data, and the stakes of failing to properly protect collected data are much higher with regulatory authorities actively investigating data breaches and reports of noncompliance and levying fines on offenders.
Scattering consumer data throughout the network and making it accessible to many applications expands an organization’s attack surface and makes managing subject rights requests much more difficult and complicated.
Taking advantage of tokenization enables an organization to minimize access to and use of sensitive and protected data to applications where it is required to perform their functions. This reduces an organization’s vulnerability to attack and simplifies the process of achieving, maintaining, and demonstrating compliance with the CCPA.