Protecting Consumer Data

Protecting Consumer Data

Data privacy laws such as the CCPA provide a framework 
for safeguarding customers’ personal information.

Businesses collect and evaluate vast amounts of customer data to identify opportunities for growth, personalize marketing campaigns, and improve their products and services. For decades, most consumers have willingly consented to this arrangement to gain access to broader marketplaces with discount pricing, better choice and more convenience.

However, abuses of this arrangement have led to increased calls for legislation to give consumers more control over what information is collected and how it is used. The California Consumer Privacy Act (CCPA), which went into effect on Jan. 1, 2020, was the first data protection law in the U.S. Virginia, Indiana, Wisconsin and Colorado have since enacted their own data privacy laws, and at least 38 other states are evaluating similar legislation.

Rising numbers of data breaches have contributed to calls for improved data privacy. Perhaps more troubling is the potential misuse of consumer data by the companies collecting it. Organizations often sell consumer data they collect to ad networks or data brokers, and they frequently make it available to researchers, marketing firms and business partners.

A Question of Trust

The Facebook-Cambridge Analytica scandal helped shine a light on poor data privacy practices. A 2018 investigation found that Facebook’s poor data protection practices allowed the political consulting firm to harvest the data of up to 87 million Facebook users. Cambridge Analytica then used the data without consent in efforts to influence the 2016 U.S. Presidential election.

Since then, consumers have grown increasingly suspect of commercial use of their data. According to a recent KPMG survey of U.S. consumers, 86 percent said data privacy is a growing concern for them, 78 percent said they are uncomfortable with the amount of data being collected and 51 percent worry about it being sold. Nearly 90 percent said corporations should provide more transparency about their data protection processes.

“This split between business and consumer sentiment isn’t new, but its persistence shows that businesses have a long way to go to make the public more comfortable with how they are collecting, using and safeguarding data,” said Orson Lucas, KPMG U.S. Privacy Services leader. “Failure to bridge this divide could present a real risk of losing access to the valuable data and insights that drive business growth.”

Consumer Rights

One way companies can regain consumer trust is by demonstrating compliance with CCPA. The act places significant limitations on the collection and use of a consumer’s personal information, and it gives consumers certain rights over the data that companies collect from them. Even if these regulations don’t apply to an organization directly, they provide meaningful guidance for protecting sensitive business and customer data.

Although the CCPA is state legislation, it has global reach. It applies to any business that collects data from California residents — regardless of where the business is physically located. The CCPA and similar laws in other states specifically give consumers the following rights:

  • The right to know. Businesses are obligated to inform customers upfront that their personal information is being collected, what categories of information they are collecting and the purpose of the collection.
  • The right to disclosure. Upon receipt of a verifiable request from a customer, businesses must disclose what personal information they have collected on them in the previous 12 months.
  • The right to be forgotten. Businesses must delete customers’ personal data upon request, although there are some exceptions.
  • The right to opt-out. Consumers can ask businesses not to sell their personal information to third parties.
  • The right to equal services and prices. A business may not discriminate against consumers who exercise their rights under the CCPA by denying goods or services or charging a different price or rate for them.

Another piece of legislation, the California Privacy Rights Act (CPRA), will expand and modify key elements of the CCPA when it takes effect on Jan. 1, 2023. Among other features, it will impose data retention limits, broaden the definition of “sensitive data,” and impose new obligations for processing data.

Organizations that aren’t in compliance can be fined up to $7,500 per violation, costs that can quickly mount when you consider that data breaches typically involve thousands of unique records. Breaches can also result in civil lawsuits, damaged reputations and lost customers.

Implementing Controls

Of course, it will be difficult to protect data without understanding where it all resides. The first step is to discover where data resides, how it is used, and who can access it. Organizations can then begin to implement protections such as:

  • Encryption. It is important to encrypt both stored data and data in motion to prevent eavesdropping or data leaks. Using 256-bit encryption offers the best protection.
  • Access controls. Implement strong password policies, multifactor authentication and identity and access management solutions to restrict data access.
  • Traffic control. A session border controller helps secure the network edge, regulate traffic in and out of the network, and normalize signaling and media used in real-time communications.
  • Activity monitoring. Implement a security information and event management (SIEM) solution to collect real-time log data and identify suspicious activity.
  • Data anonymization. Techniques such as data masking and pseudonymization hide, remove or modify identifiers that could connect stored data to a specific individual.

Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload
+