Following the precedent set by the European Union’s GDPR (General Data Protection Regulation) which went into effect in May 2019, another landmark privacy regulation has come into effect on January 1, 2020. The CCPA (California Consumer Privacy Act) aims to protect the privacy of consumers in the most populous state, home to Silicon Valley and a multitude of tech giants. Many legal analysts anticipate that this law will pave the way for other US states to roll out similar legislation to protect consumer privacy, which may in the future set the stage for federal legislation to enforce stricter overall US data protection standards.
The CCPA security and compliance requirements are likely to create a stir, just as the GDPR did. Let’s take a brief look at this new regulation and how bot mitigation can play a role in its compliance.
What is the CCPA and how does it differ from the GDPR?
At its core, the CCPA is a data protection policy to ensure that the privacy rights of internet users in California are seriously enforced, and that consumers have the authority to control access to and usage of their private data. The central focus of this regulation is the data privacy of citizens, like that of the GDPR.
Organizations which are GDPR compliant may possibly be compliant with most of the CCPA requirements. There are, however, very specific guidelines in the CCPA, so being GDPR-compliant is insufficient to claim compliance with the CCPA as well.
Why is bot management critical for CCPA compliance?
While preparing for organizational compliance with regulations such as the GDPR and CCPA, it’s quite possible security and compliance teams may overlook certain technical vulnerabilities in their data transmission, processing, and storage infrastructure. Fraudsters can leverage these vulnerabilities and deploy bots to steal data from websites, mobile apps and APIs. The stolen data is often sold by cybercriminals in the ‘Dark Web’ or illegally used to commit fraud, theft or espionage.
It would be prudent for security and compliance teams to completely identify any attack vectors that bots could take advantage of in order to protect consumer data from being scraped or stolen. As bot management specialists, we are frequently approached by enterprises to address any potential gaps in their compliance preparations in order to mitigate against such bot attacks. With the onset of the CCPA, we have also started partnering with organizations to insulate them from bot attack vectors to ensure their consumer data is protected.
Our threat research team has identified key threats which can potentially expose organizations to consumer data protection vulnerabilities, such as:
Account takeover: Using credential stuffing or brute force attack, fraudsters expose private data to theft and other malicious activities.
Content scraping: Industries in which significant amounts of personal user data are involved (such as classifieds, financial services, media and publishing, and e-Commerce, for example) are at significant risk of exposing their users’ private information to bots.
Digital ad fraud: Both advertisers and publishers face serious bot threats in the form of behavioral cookies being scraped, or unprotected session data being stolen to uncover user identities. Without a bot protection system, critical data pathways will certainly be vulnerable to sophisticated bot attacks.
Like the GDPR, the CCPA holds organizations liable for theft or loss of cookies and other ‘Unique Identifiers’ that can leak personal data without user consent. Thus it’s important for organizations to protect their consumers’ personal information from getting scraped by unauthorized third party services that use user-identifiable cookies.
Just like the GDPR, the CCPA imposes large monetary penalties in the event of any data breach. Depending on the violation occurred, penalties start at $2500 for each individual violation and can go up to $7500 per violation. When personal data on thousands of users gets breached, organizations could end up paying tens (or hundreds) of millions of dollars in penalties and related costs.
As a leader in security and data privacy, Radware strongly recommends that organizations execute a stringent data protection process and partner with a dedicated bot management solution provider to ensure data compliance, maintain their brand reputation, and to avoid potential fines and penalties.