We had a great turn-out for this week’s webinar focused on data privacy. The reason is clear: the California Consumer Privacy Act (CCPA) is just around the corner – along with a variety of additional privacy bills introduced by other states – forcing firms to address a patchwork of potentially contradictory state privacy laws, making pretzels out of existing compliance policies. Given that several major firms headquartered in California are perpetually in the news for a variety of questionable privacy practices – namely, Facebook, Apple, and Google – interest in this topic is quickly escalating, reaching similar levels to pre-General Data Protection Regulation (GDPR) implementation days in the European Union.
However, how privacy is managed by consumer-oriented firms that have ad-driven business models is one thing; and how privacy is managed by firms that face industry-specific regulatory compliance obligations is another. Capturing and retaining communications content to satisfy regulatory obligations appear to be at odds with these new privacy mandates. This is the dilemma we focused on in the webinar that I will summarize here, and you can listen to the recorded version for a specific overview of the provisions of the CCPA.
Lessons from GDPR
The CCPA is frequently referred to as “California’s GDPR” as it contains many similar rights and responsibilities, so we began the webinar with a quick recap of what has been learned from the implementation of the GDPR in the EU over the first year. Our GDPR expert Shaun Hurst covered the basic GDPR framework, including pillars that are similar to the CCPA and several other bills introduced in other states. These pillars include citizen’s Rights of Inquiry (Article 15), Rights of Erasure (Article 17), Right to Restrict Processing (Article 18), and the need to demonstrate Privacy “By Design and Default (Article 25), which have been covered in several webinars last year:
The common essence: citizens have the right to inquire about how their personal data is used, and have the right to receive a prompt response from those who collect the data within a specific timeframe. If data is being used in ways other than what the citizen has consented to, the processor is required to delete that information. Data collectors are also required to demonstrate that they have security and privacy protections in place to minimize the possible breach or misuse of citizen data.
Because of their similarities, it is a fair question to ask “What have we learned from the first year of GDPR?” Shaun addressed that question with the following:
- In the first year, 281,088 cases were logged by EU citizens
- Fines have not been limited to those directly imposed by privacy regulators, but often led to additional sanctions and settlements, for example:
- Facebook received a £500,000 pound fine by the British regulatory body ICO, which was followed by a $5B settlement with the FTC for privacy violations
- Google was fined €50M, followed by a $22M FTC settlement for violating consent regarding ad personalization
- Data breach remains in the regulatory spotlight, including high profile cases; $700M FTC settlement with Equifax , Marriott’s £99M fine, along with a £183M fine imposed on British Airways
- As one might expect, we’ve talked with quite a few organizations that spent a good chunk of last year mapping potential locations of personal information, updating consent policies, and ensuring that they and their service providers are able to respond to citizen inquiries within the required timeframes. As this last point is dependent on well-performing IT systems, satisfying the Right of Access requirements was a common thorn arising for many that continue to rely on outdated, legacy technologies.
So, what does this mean for CCPA?
First, while there are many similarities with GDPR, there are a few key differences, namely:
1) CCPA’s narrower definition of whose data is covered (e.g. California residents and those temporarily residing outside of the state versus “data processors” or “data controllers” under GDPR),
2) CCPA’s broader definition of “personal data” to include information that can be associated with specific individuals (such as devices and pseudo-anonymized data),
3) A “look back” requirement that would require firms to respond to requests within 45 days, where requests can reach back 12 months prior to the request.
With an enforcement date of January 1, 2020, and final refinements due before July 1, 2020, that would mean that firms need to be prepared to identify and produce information that is being generated at this very minute. Given the presence of legacy technology and the Right of Access response challenges under GDPR, well… you get the point.
Applying the lessons learned from GDPR to CCPA would appear to be an (arguably) manageable task, but CCPA unfortunately exists within a complex fabric of unique enacted and proposed privacy laws in individual states, each with its own individual areas of emphasis including biometric data, ISPs, social media, information belonging to minors, and more. Simply examining the core GDPR pillars of Right of Access and Right of Erasure will likely require reconciliation of specific provisions in bills introduced in Connecticut, Hawaii, Maryland, Michigan, New York, Pennsylvania, Rhode Island, and Texas. This, on top of a global landscape of over 20 specific country data privacy, security, and locality statutes, means that the task is no simpler for multi-nationals.
What can firms do now?
Data privacy is akin to several freight trains rolling down several tracks, in some cases accelerating, in others appearing headed toward inevitable derailment. Absent a traffic controller at the Federal level, firms can nonetheless prepare for an increased focus on data privacy by starting with a few simple steps:
- Understanding your data: Given the growing complexity and variety of communications and collaborative data, ensuring that data mapping exercises includes all sources, the specific features available within each, and who is specifically using these tools will establish a good foundation in exploring how privacy controls (whether defined by policy alone or in combination with enforcement and technology) can be implemented, and where gaps exist;
- Update policies to reflect all sources used for business purposes: in addition to consent policies, ensuring that communications policies are current and reflecting how personal data should be managed is central to any privacy mandate;
- Train employees on CCPA requirements: In advance of July 2020 final implementation, providing users and data managers with an overview of CCPA requirements and introduction to your Chief Data Privacy executive will provide an important signal to your organization of how seriously you are prioritizing this topic – and can remove ambiguity of the consequences of potential policy violations;
- Tune oversight processes to reflect higher risk areas: on-going inspection of content for personal information should not only focus on IT controlled systems, but those where rules and oversight may not have been extended yet (for example, newly deployed collaborative tools like Slack or Microsoft Teams);
- Leverage AI/surveillance to uncover dark data locations: Data privacy is a terrific use case for advanced analytics and surveillance technology to extend your oversight processes into areas that cannot be uncovered by policies or lexicons
And, as noted earlier, these steps should be extended to your cloud service providers – to ensure that they are capable of enforcing policies for any geography that is storing data subject to privacy regulations, that they can restrict access to data to those individuals with understanding of specific privacy mandates, and that they can provide certainty that they can help you fulfill Right of Access requirements within the required time periods. Those providers built with data privacy by design and default will help separate those that see data privacy as an area of differentiation and enabler of innovation from those that don’t.
Latest posts by Robert Cruz (see all)
- 2020: Extending the Vision of Supervisory Review - January 14, 2020
- Where’s the Future of Records Management? Everywhere. - October 18, 2019
- Discovering the gaps surrounding collaboration, mobility and AI - October 7, 2019