Few entities strike fear into the hearts of organizations like regulators. Small oversights in data-handling practices, when collecting and processing customer data, can lead to lawsuits and fines that cost millions to address.  

Just over a week ago the California Consumer Privacy Act (CCPA) imposed its first fine and charged beauty product retailer Sephora $1.2 million for failing to inform customers that it was selling their data while claiming on its website that it didn’t sell personal information.

For enterprises, this first fine highlights that the regulatory landscape is becoming increasingly unforgiving, with more and more obligations to clarify to users how personal data is collected or processed.

Staying compliant under a mountain of regulations

The CCPA is just the tip of the iceberg when it comes to regional data protection regulations entering into effect in the U.S., including the Virginia Consumer Data Protection Act, Colorado Privacy Act, Utah Consumer Privacy Act and Connecticut Data Privacy Act.

At the same time, the American Data Privacy and Protection Act (ADPPA) is also slowly traversing through the legislative system and, if passed, will implement a federal data protection standard.

With all of these new regulations entering effect, organizations are under tremendous pressure to reevaluate how they’re processing personal data, and the enforcement of the CCPA against Sephora highlights that these rules aren’t going away any time soon.

“This event shows that California takes privacy seriously and that the CCPA has the teeth to enforce the stated requirements. Every CISO that conducts business in California, or is subject to CCPA, should now consider themselves on notice that the statute is as real as other regulatory mandates and that they should act accordingly to get their house in order,” said Andrew Hay, COO at Lares Consulting.

Hay recommends that CISOs concerned about the CCPA review their policies with their legal and HR teams to verify their data collection procedures are in compliance with the regulation.

Data processing is becoming a high-risk game

One of the broader implications of the decision is the fact that data processing is becoming a high-risk game. While organizations are looking to better leverage and monetize data so they can compete in the market more effectively, these expansive processing practices leave the door open to compliance liabilities.

“Business leaders are tasked with finding ways to leverage data to create new revenue streams. Especially with the shift to remote work, permissive access and applications like Google Drive or Slack make it easy to access and spread information across a business,” said Yotam Segev, cofounder and CEO of Cyera.

“The people or teams involved may have believed they were permitted to monetize this data. How many businesses are prepared for this kind of action? Security and risk teams need a simple way to answer basic questions like: What data do I have? Where is it now? Who is accessing it? How should it be governed and secured?” Segev said.

If you can’t answer these questions on demand, then the chances are that your data protection processes are leaving you exposed.

Sephora may be just the beginning: Think carefully before selling user data

It’s not just companies like Sephora that have faced legal action due to selling customer data; Oracle is currently facing a class-action lawsuit for collecting, profiling and selling the data of more than 5 billion users.

Even collecting data incorrectly can be a costly decision, highlighted most recently after Meta settled a lawsuit for $37.5 million after it was accused of violating user privacy by tracking user’s movements via their IP address without permission.

In this regulatory environment, the margin for error for collecting and using data is slim, so organizations need to be much more proactive about what information they’re collecting, and ensuring that they’re doing so in a manner that’s secure and compliant.

One of the keys to doing this is to be honest and transparent about whether or not your organization is monetizing or selling personal data, and not trying to obfuscate this activity.

“It’s more common than not for a business to take the position that they do not technically ‘sell’ PII [personally identifying information] in the traditional sense, like a data broker as an example, and then refer consumers to one or all of the industry preference centers like AdChoices,” said Brian Mandelbaum, CEO of Klover.  

“Unfortunately, these options don’t meet the standards of CCPA. This is a giant wake-up call for adtech, data brokers and basically everyone in the community. I bet we’re going to see material uptick in privacy policy updates, do-not-sell-my-data links and disclosures in the coming months,” Mandelbaum said.  

Going forward, ensuring transparency over data collection and monetization processes is the key to maintaining compliance.

Ready to start driving outcomes?

We’re here to help. Ask us anything, or schedule a customized demo.