Staying ahead of evolving consumer privacy regulations

By Microsoft Security

When the California Consumer Privacy Act (CCPA) first went into effect in January 2020, it had far-reaching implications for the way that public and private businesses handle consumer data. Under the CCPA, for-profit businesses that do business in the state of California now have to disclose the personal information they collect, as well as how it is used and shared. Even more critically, the CCPA grants consumers the right to opt out of the selling and sharing of their personal information. In November of 2020, California voters approved an amendment to the CCPA which increased consumer data privacy protections. These protections only recently went into effect in January of 2023.

The data privacy landscape has only grown more complicated as subsequent regulations like the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and others follow, further broadening protections for consumer data. By 2024, privacy regulations will encompass the personal data of 75% of the global population.

Today, safeguarding consumer privacy is a deeply nuanced task that can vary widely depending on where your business operates, where consumers are located, your annual gross revenue, the type of data you collect or share, and more. For enterprise businesses, this has created an urgent need to stay ahead of changing laws like the CCPA while also maintaining a secure and compliant infrastructure. Keep reading to learn how.

Understanding the CCPA’s requirements

Regulatory bodies release more than 250 updates per day to current compliance regulations. So it’s no wonder that 25% of organizations don’t understand which regulations apply to them or what steps they need to take to ensure compliance.

While specific requirements vary from regulation to regulation, examining the CCPA is a great place to start when gaining a basic understanding of how consumer privacy works.

For example, the CCPA defines a business as “a legal entity that collects consumers’ personal information, determines the purposes and means of processing consumers’ personal information, and conducts business in the State of California.” However, to fall under the scope of the CCPA, your organization must also earn more than $25M in annual gross revenue; derive at least half of its annual revenue from selling consumers’ personal information; or buy, receive, sell, or share the personal information of at least 50,000 consumers, households, or devices on an annual basis.

Understanding how consumers’ rights are defined under the law is also critical. Under the CCPA, consumers have the right to know what personal information companies collect, store, or share on their behalf. They also have the right to ask companies to delete that data and initiate a private cause of action, which essentially allows consumers to sue businesses they believe have violated the CCPA.

Other regulations, like the CPRA, further amend these rights by allowing consumers to correct their personal information and limit the use and disclosure of sensitive personal information. Sensitive personal information can encompass everything from a social security or passport number to precise geolocation data, a consumer’s racial or ethnic origin, or more.

What are your obligations under the CCPA?

So, knowing that consumer privacy regulations cover a broad swath of the population and can vary depending on where your business or consumers are located, what can organizations do to ensure they’re compliant?

First and foremost, you must understand your obligations. At a minimum, the CCPA requires that businesses disclose their practices around personal information. This disclosure must happen before the data is collected or at the point of collection. Businesses must also respond to consumer rights requests within 45 days, with the option to extend this response time by an additional 45 days as long as they notify the consumer. The CPRA takes this a step further by requiring that businesses minimize the amount of data they collect and retain. It also requires that companies conduct regular cybersecurity audits and privacy risk assessments as an additional safeguard.

At Microsoft, we focus on delivering a proactive defense-in-depth approach to data security and compliance. This helps to ensure organizations have multiple layers of protection that satisfy regulations like the CCPA.

The first stage is discovery. Organizations must understand how much data they have, where that data exists, and what kind of information is captured in that data. From there, we move to the protection stage where organizations can apply sensitivity labels, encrypt data, and enact additional safeguards to secure data against outside threats. Next is the risk management phase in which organizations secure their data against insider risks using tools like automated security alerts and multifactor authentication (MFA). Finally, there is the loss prevention phase. This phase relies heavily on AI-driven data loss prevention policies to help organizations ensure they don’t overshare sensitive information.

As organizations move closer and closer to maintaining compliance, a robust data retention and deletion strategy can no longer be viewed as tomorrow’s task. The time to act is now when it comes to preparing employees for incoming “right to know” requests, data mapping consumers’ personal and sensitive information, and conducting business-wide risk assessments.

Visit Microsoft’s Security Insider to learn how you can better comply with rapidly evolving consumer privacy regulations and check out our webinar on CCPA here.