Skip to main content
Data privacy regulations in the US have continued to evolve since the inception of The California Consumer Privacy Act (CCPA) regulation in 2020. Now, with the recent addition of Virginia’s new Consumer Data Protection Act, compliance teams are being forced to prepare for a patchwork of state laws.

On January 1, 2020, a new California regulation went into effect that pushed many unsuspecting enterprises doing business in the state into costly noncompliance while also introducing reputational risk and threatening their brands. The California Consumer Privacy Act (CCPA) granted new consumer rights related to data storage, use, and protection that were not yet seen to that degree in the US. Companies failing to comply with these rules could be fined up to $7,500 for each violation. Despite the potential impacts, a 2019survey by the IT security firm ESET showed how ill-prepared most enterprises were regarding the new compliance obligation:

  • Nearly half of all respondents had never heard of CCPA
  • More than 8 in 10 respondents did not know if the law even applied to their business
  • A third of executives were unsure if their organizations needed to change how consumer data was stored/processed
  • Nearly 1 in 4 respondents “didn’t care” about becoming compliant
  • More than half had not performed a risk assessment on cybersecurity within the past year

On March 2, 2021, just over a year after CCPA went into effect, Virginia became the second state in the country to sign its own data privacy legislation into law, with the Consumer Data Protection Act. States like Washington, New Jersey, and Utah are already considering enacting their own similar legislation, adding to what will surely become a patchwork of data protection laws across the country. 

The new Virginia Consumer Data Protection Act is not expected to take effect until January 1, 2023. Though, given the stakes involved with the CCPA in 2020 and the General Data Protection Regulation (GDPR) in 2018, the industry has already seen a broad lack of urgency around similar regulations. A DataGrail survey indicated that despite investing thousands of hours and being given a two-year head start, only half of the companies reported achieving compliance with GDPR, a similar data privacy regulation in Europe. Additionally, 70% of enterprises admitted the systems they were currently using to comply would not scale. When the pace of regulatory change is accelerating so rapidly, many enterprises are being caught flat-footed.

Don’t let regulations derail your ERM program |  Take the 17 question assessment
 

The below article, originally published in October 2020, continues to ring true into 2021 with more state-level legislation expected sooner than actions from Congress and a need for agile capability among compliance teams.

————————————————————————————————————————————————————————————

What the origin of CCPA tells us about what may be coming next

California’s passage of the first major consumer data privacy regulation in the US is somewhat surprising given the concentration of tech giants based in the state and the roaring economic engine that Silicon Valley fuels. Bob O’Donnell discusses this contradiction in the TechSpot article California Data Privacy Law Highlights Growing Frustration with Tech Industry. “So, what made California legislators willing to bite the hand that contributes so strongly to its coffers?” asks O’Donnell, rhetorically. “Incredible consumer frustration.” The dozen or so states with similar laws working their way through their respective state legislatures is a testament to just how widespread and strong this consumer frustration is.

Despite industry pleas for a single, comprehensive nationwide framework to reduce the compliance burden and standardize processes, partisan gridlock at the federal level makes this outcome seem unlikely in the near term. Nevada’s New Consumer Privacy Law Departs Significantly From The California CCPA describes a regulation that may soon be passed in that state. “The Nevada law differs from the CCPA enacted last year in notable ways, and could signal the coming of a patchwork of fifty-plus different data privacy standards across the country, much like the state data breach notification laws.” The prospect of a series of similar one-off state laws, each with significant differences from those of other states, is a nightmare scenario for compliance.

The need for agility in compliance

If the sluggish response to CCPA (and GDPR before it) are any indicators, the lack of agility demanded by constantly shifting compliance requirements may lead some firms into trouble. However, despite a large number of companies in the ESET survey currently ignoring the compliance ramifications of these laws, eventually, the alarm will sound. “When it does, and companies begin to see that the bill has real teeth, we'll see a mad dash for companies to become compliant. In the rush, many companies will trip over their shoelaces and make inevitable mistakes, just as we saw with the GDPR,” warns Ian Barker in Compliance struggles and more legislation -- privacy and data predictions for 2020.

Preparing for more than the CCPA

While taking basic steps to assess compliance with the CCPA is a necessary first step, preparing your organization to avoid this “mad dash” involves taking a wider view of not only compliance-related risks in this new environment but also how an inadequate compliance response can itself create other enterprise risks.

The pent-up frustration driving legislators to move quickly on new laws means that consumers care about data privacy issues. A lot. While a business may be able to handle the fines associated with non-compliance, the related ongoing reputational damage from being perceived as a company that doesn’t respect consumer privacy could be much harder to absorb. This creates implications beyond compliance including enterprise risk management (ERM), internal audit, and BCM/crisis management. CCPA noncompliance could be viewed by the public as a symptom of a much larger condition. That condition requires a fully-connected response across several departments.

No time for silos

In a rapidly changing, high stakes regulatory environment, a fragmented approach will be less effective than a flexible, integrated response. Attempting to monitor how successfully the organization is prepared for all the challenges associated with each new data privacy regulation depends on a coordinated effort, where critical data flows between all the groups that need it.

The promise of integrated governance, risk, and compliance (GRC) solutions is that a single system that can handle the interconnected nature of today’s risk environment and would provide organizations the big-picture view they need to make the most informed decisions possible and shift from reactive responses to proactive, strategic efforts. Although the CCPA (and similar future legislation) offers an ideal use case to demonstrate the benefit of an integrated solution, there is one more component necessary to live up to that promise.

Given the need to continually pivot to the next new compliance demand, manual processes and rigid legacy systems eventually run into scalability issues. The 70% of respondents in the DataGrail survey who indicated that their solutions couldn’t adequately handle an escalating regulatory environment points out just how low the ceiling is for a reactive, band-aid type of approach. Solutions such as Origami Risk’s Integrated GRC are designed to be flexible enough to handle today’s challenges (CCPA, for example) and adapt to whatever new compliance issues may emerge tomorrow, while also providing the entire enterprise with a way to stay ahead of the regulatory curve and protect hard-earned brand reputation.

Are you looking for ways to simplify compliance and better adapt to changing regulations?  Contact us to learn more about how Origami Risk can help make your operations more efficient, opening the door to next-level services.