The theater was filled to capacity with hundreds of professionals for a conference session about the California Consumer Privacy Act during the recent Advertising Week New York festival.
“You are the smart people who are paying attention,” said the speaker, Stephanie Hanson. “Everyone is trying to get ready for CCPA and get ready for January 1.”
Many organizations are scrambling, said Hanson, director of OneTrust Preference Choice, a platform that helps track compliance with data permissions. The law takes effect January 1, 2020 and enforcement won’t begin until July. But insiders warn that once enforcement begins, it will have a 12-month look back that will let regulators review past compliance, so the period before enforcement began is fair game.
Like the General Data Protection Regulation (GDPR) adopted by the European Union in 2018, CCPA is keeping privacy and security officers up at night. The new law will govern how companies handle data about California consumers and sets penalties of $2,500 to $7,500 per each violation.
CCPA “puts a big stick on the data breach reporting,” said Paola Zeni, senior director, global privacy at Palo Alto Networks. GDPR implies data has to be protected according to risk and that breaches have to be reported in a short timeframe, but CCPA creates a private right of action to individuals affected by a breach caused by a lack of reasonable security measures.
“The risk of litigation is really significant,” Zeni said, “also because of the provision of statutory damages.”
CCPA “is no GDPR lite,” warned Quyen Truong, a partner at the law firm Stroock & Stroock & Lavan. “Even companies that have tackled the GDPR have much more to do with the CCPA.”
CCPA expands the data set of GDPR by adding inferences drawn from the data in customer profiles to the scope of protection under the law and by including household data. So even if information is anonymized, “you need to be very careful,” Hanson said, adding that CCPA’s scope includes device identifications, not just actual user profiles, so “if I can track your device … that data is protected under CCPA.”
In addition to the private right of action in case of breaches, the law establishes four main rights for consumers: disclosure, deletion, opt-out and nondiscrimination. Disclosure has two parts: organizations have to inform consumers why they are collecting their data and what kinds of data they are collecting—“a little nod to GPDR,” said Hanson—and they also have to allow consumers to access that data. The rights to deletion and opt out allow consumers to request their data be erased and refuse to have their data sold, while non-discrimination bars organizations from treating those consumers differently.
The new law affects all consumer businesses that collect personal information and do business in the state of California. The law defines doing business as generating $25 million of more in revenue, working with over 50,000 data points—households, individuals or devices—or generate more than 50% of revenue from the sale of data. “A two-person startup in a garage that scrapes and sells data—is in scope,” said Hanson.
‘Put Yourself in a Defensible Position’
Furthermore, experts say the definition of “sell” is broad enough that it could interpreted to include both market research firms that broker customer data, as well as social media platforms and publishers that collect user data in exchange for access to their content.
That provision regarding the sale of data means companies have to map their flow of data. “There is a need to understand where data is going and why,” Zeni said. Security professionals need to have a handle on who their vendors are and revisit what reasonable security means for the organization.
“Revamp and confirm your security requirements are adequate, based on the amount and type of data you are processing,” said Zeni. “If there’s an incident, you’re accountable and if you’re accountable, you’re exposed.”
Organizations are struggling with compliance. In August, a survey by the International Association of Privacy Professionals (IAPP) found only half the businesses polled expected to be in CCPA compliance by January 1, and another third expect to be ready by July 1. More troubling: another 12% either have no timeline for compliance or no idea.
Critics have complained the law is vague and broad, and its provisions are still a moving target. California Gov. Gavin Newsom was still signing amendments to the law in October, further complicating compliance efforts, and the Attorney General regulation that is supposed to clarify issues is still in draft form.
“Compliance will be a continuing challenge for even the most prepared companies as the CCPA framework is still evolving,” said Truong.
The impact of CCPA could be as extensive as GDPR, because instead of requiring companies to only disclose the use of data, it requires them to allow consumers to opt out and remove it, said Jason White, EVP of CBS Interactive. The law opens up the potential for a wave of consumer requests, he told an audience during Advertising Week.
“If my mother comes to a website and sees a banner that says, ‘Don’t sell my data,’ she will absolutely click on it,” said White. “I think the opt-out rates will be much larger than people anticipate.”
Even those companies that complied with GDPR will require “significant uplift” to comply with CCPA, said Dan Frank, principal at Deloitte. CCPA requires an in-depth understanding and complete transparency with individuals about data collection, use and data sharing in each organization.
The ideal time to do a privacy audit and a data hygiene review was a year ago, when the law passed, but businesses can still do one to understand the risks they face and minimize them while updating practices. “The goal is to put yourself in a defensible position,” said Frank.
Don’t Leave It to the Lawyers
Security professionals “should really go back to the basics,” said Zeni. They should review where their organization’s data is housed, what data is considered sensitive under the law and “definitely do security audits. If you’re doing them, go back and document that you reviewed your controls,” she said. Security audits should be part of regular operations.
Additionally, companies should do vendor inventories, to see which third parties they share their data with. If there are thousands of vendors, identify the high-risk ones and send them a security questionnaire.
CCPA requires a significant update of data privacy practices in order to comply, according to Frank. It requires data disposal or destruction—another significant challenge when companies are collecting increasing amounts of data and keeping it indefinitely, sometimes in thousands of silos across the organization.
“It requires a massive investment in IT to establish the means to respond to those individual rights requests—erasure and do-not-sell,” said Frank. “The prospect of having to pull all that data to have it for an individual on request or delete it—how to do it in a reasonable amount of time? You can’t do it manually.”
Companies need to put the means in place to pull those data files and clean up data before sharing it, if they don’t want users to see conflicting information or errors on their files that could erode the company’s image with its customer. “You have to have people who can manage the workflow of those requests,” and review the data files for accuracy before they are sent out, added Frank.
Companies have to involve everyone from the board to frontline staff to identify and mitigate risks from the collection, use and sharing of consumer personal information, Truong explained. Business units need to work with IT and cybersecurity teams, under the guidance of counsel, because of the ambiguous requirements and high liability exposure in the law. Tracking and controls over the use of consumer data in relationships with vendors, partners and customers could require significant changes to those arrangements and could even change the business model for some organizations.
“You cannot work on this alone and you can’t let your lawyers work on this alone,” said Hanson.
“A huge part of being CCPA-ready is organization change management,” said Frank. “The things CCPA and other state laws require is a change in the business” and you can drive that change through training, periodic communications of performance and reviews.
The final irony in the California law is that it may give a push to efforts to establish data regulation nationwide. At least half of U.S. states have some sort of data law on the books, according to the National Conference of State Legislatures, even if there is no federal legislation.
In the wake of CCPA, “we’re seeing a change” among U.S. companies that previously didn’t go along with the idea of data privacy legislation, said Frank. “Because of CCPA they are now endorsing a federal law, so there’s only one.”
Zeni was skeptical that a federal law will pass in the current political climate but did agree the California law may become the nationwide standard by default, much like the state’s tough emission standards affected the auto industry.
But in the meantime, the finish line keeps moving. Alastair Mactaggart, the real estate developer whose efforts led to the CCPA, proposed another data privacy ballot initiative for the 2020 election. Among other measures, it would toughen enforcement and increase some of CCPA’s penalties.
“We have a hanging sword over our heads,” Zeni said.