California Consumer Privacy Act (CCPA)

In case you didn’t know already, Data is the new gold

Happy New Year!  And as of tomorrow (at least if you live in California) “the man” no longer has an assumed right to play fast and loose with your personal data.  Numerous articles have spring up in the last fortnight talking of California’s Consumer Privacy Act (CCPA) which could result in fines of up to $7,500 per violation if personal data is wilfully misused without the personal data owner’s consent.

What constitutes personal data?

Great question!  The list in the legislation includes (but is not exclusive to):

  • IP Addresses
  • Purchasing History
  • Biometric Data
  • Audio & Video
  • Geo-location Data

Sound familiar? Hands up who can spell Cambridge Analytica?! Interestingly, the law is targeted at organisations that trade in wholesale volumes of personal data and/ or generate revenues in excess of $25M per annum.

Interestingly for companies in the US, it makes economic sense to adhere to the Californian legislation and apply those standards country-wide. Can you imagine the IT infrastructure overhead that would need to be in place to account for Californians and then for the rest of the US? However, for those organisations who are truly global in scale, doing business in the European Union will provide competitive advantage:  GDPR (General Data Protection Regulations) have been in force since May of 2019.


Here in the UK we are generally not known for our litigious nature, but GDPR legislation has been used to bruising effect already; as British Airways can attest to:

The Information Commissioners Office is the government body charged with overseeing GDPR execution in the UK.  Did you happen to notice how this press piece was announced?  It was to the London Stock Exchange – The message is clear here:  The ICO views this as a failure of leadership, not an operational slip-up in the IT department.  Put that scenario in the hands of a US attorney, and a “per person per data breach” litigation strategy could result in near-crippling fines for even the largest of organisations.

ISO – A way forward

So why would someone from the SAM quarter be licking their lips at the prospect of seeing such legislation come into force?  Simply, it reinforces the case for SAM to be implemented in your company. Sister-standards for the implementation of good data management are ISO 27001: 2013 (Information Security) and ISO 27701: 2019 (Personal Information Management Systems).  However, such standards interlink into ISO 19770-1: 2017.

At a high level?  ISO 27001 is the dartboard of Information Security, and PIMS is the bullseye.  DO NOT go down the route of identifying the information that is vital to protect in your organisation and implement ISO 27001, and then re-invent the wheel and create new protocols for personal data.  The two systems should in fact, be one, but you might enforce different/ stronger protocols for personal data.

As with ISO 19770-1, identify what entities (contracts, wage statements, credit cards, licences) you are engaging with and the lifecycle that they traverse.  This will then help rapidly identify the stakeholders that come into contact with those entities.  At that point, you can apply Info Sec/ PIMS/ HIPAA/ CCPA/ SAM-based requirements around the afore-mentioned engagements.


Interestingly, touchpoints between SAM & Info Sec are numerous, and the more immediate processes that spring to mind are:

Good IT governance is good IT governance – however you want to dress it up.

NB:  If you didn’t click on the British Airways link (above) then be aware that the ICO fined BA £183M (circa $240M USD).  Do you have that kind of a slush fund on stand-by in case your IT estate resembles the Wild-West?

Integrate quality SAM with quality Information & Personal Data Security – reach out to SAM Charter today:  [email protected]


Leave a comment

Your email address will not be published. Required fields are marked *