CCPA: Where We Go From Here
We’ve spent some time on this blog discussing the intricacies of the California Consumer Privacy Act (CCPA), and how companies should prepare for its start in January 2020. An equally important exercise is looking to the future of not just CCPA, but data privacy laws more broadly. It’s likely that CCPA will be just the first of multiple data privacy laws in the United States, and this potential patchwork of state laws may spur the federal government to develop a nationwide standard.
So what’s next? Read on to learn to learn what data privacy experts are saying and how CCPA may evolve in the coming years.
GDPR: One Year Later
One way to see the future of CCPA is to look at how the European Union’s General Data Protection Regulation (GDPR) has fared since its enforcement date of May 25, 2018. While CCPA and GDPR have some baseline differences, both impose penalties on companies that fail to protect consumer data.
According to a report from DLA Piper, there were 59,000 reported data breaches in the EU during the first nine months of GDPR enforcement. While this number sounds shocking, it shows that many more companies are actually coming forward and being transparent. Under the law, companies that do not disclose breaches the public are subject to additional fines if caught. DLA Piper says that hiding data breaches “has become a high-risk strategy under GDPR.”
During this same period, 91 GDPR-related fines were issued to organizations operating within the EU. While most of the fines were relatively small, Google was given a €50 million fine by the French privacy authority. The company was accused of processing personal data for advertising services without prior authorization.
While Google’s fine seems out of the norm for now, that may change as more jurisdictions increase their enforcement efforts. A paper from the National Bureau of Economic Research suggests so far, GDPR has weakened startups and small businesses while strengthening large enterprises. The researchers’ reasoning was based on an observed drop in venture capital investment in Europe after the law began to be enforced.
Citing this paper in her March 2019 testimony to a Senate Judiciary Committee hearing on GDPR and CCPA, University of Arizona law professor Jane Bambauer said that “CCPA is likely to cause similar effects…even after a painful transition phase, the law will cause long-term drag on innovation.” The authors of the NBER study did note however, that their research is limited and the results may change as GDPR becomes more established law.
One of the biggest criticisms of CCPA is how hastily it was put together. In an effort to prevent a voter referendum from being added to the ballot, the California Legislature quickly passed a law that contains errors and inconsistencies. To correct these issues, the law must be amended by September 13, 2019 to align with the law’s start date of January 1, 2020. In essence, CCPA must evolve before it can even begin.
The following are a few proposed CCPA amendments that are still pending in the California Legislature:
- AB-25: Redefines the term “consumer” to exclude employees, job applicants, and contractors.
- AB-846: Voluntary customer loyalty or rewards programs are exempt from the nondiscrimination section in the law.
- AB-1146: Allows motor vehicle dealers to share consumer information with vehicle manufacturers for issues related to recalls and warranties.
- AB-1564: Companies can receive consumer requests via email in addition to physical mail and phone calls already provisioned in the law.
Changing the Lens
All of the tinkering with CCPA to make it more consistent and coherent may still not solve the underlying issues around consumer data and privacy. During the same Senate hearing mentioned earlier, Michelle Richardson, Director of Privacy and Data at the Center for Democracy and Technology said that there was a fundamental problem with how GDPR and CCPA are framed. She said the burden of privacy protection lies too heavily on the consumer.
“It is one thing to ask an individual to manage the privacy settings on their mobile phone; it is another to tell them they must do the same management for each application, social network, and connected device they use,” Richardson said in her testimony. “Privacy self-management alone is neither scalable nor practical for the individual.”
While the “notice and consent” model is meant to provide consumers with more agency, Richardson notes that there are situations where an individual can’t just simply “opt-out.” For this reason, she recommends a strong federal law that would require companies to “publish detailed disclosures of their data practices.” In addition, she recommends that the Federal Trade Commission (FTC) be given more authority to enforce existing and future privacy laws.
Changing Business Practices
Regardless of whether the federal government takes legislative action on data privacy, the far-reaching nature of CCPA will change policies for companies around the country.
Employee Behavior and Access
According to a PwC study, current employees are the top source of a cyber security incident. Notably, one of the first GDPR-related fines was handed out to a Portuguese hospital where some employees had inappropriate access to the entirety of patient files. One way to stay compliant with data privacy laws begins knowing which employees have access to personal data and regularly reviewing and revising privileges.
Many large companies have incorporated a zero trust IT security model that requires authentication and authorization for every individual and device requesting access from inside or outside of a network perimeter. This model is based in the idea that you can’t (and shouldn’t) trust a user simply because they are inside of the network or have a predetermined credential. In addition, zero trust security utilizes least privilege access, meaning that users are only allowed to access as much information as their position requires. This limits the amount of personal information that any one person can see.
Data-Dependent Third Parties
So what does CCPA mean for companies that depend on consumer data for marketing, advertising, and lead generation?
Some see the situation as dire. Writing in AdAdge, Ray Kingman, the CEO of Semcasting, a data broker said CCPA would stifle innovation and allow data to be controlled by just a few large companies.
“Privacy is important,” he wrote. “But privacy that cripples marketing deals a substantial blow to consumer choice because it limits the use of personal information to only those who already have the leverage to demand consent.”
Gabriel Wineberg, the founder and CEO of search engine DuckDuckGo, has a different take. He also testified at the March 2019 Senate hearing and opined that data privacy laws were good for digital marketers and advertisers. He argued that these laws actually spur innovation by prodding companies to think beyond advertising tactics that are simply based on following consumers around the web. He also noted consumers will be more inclined to work with companies that have robust privacy policies in place, stating, “data privacy is the most pressing issue on Americans’ minds.”
Be Compliance Ready
In a time of compliance uncertainty, it is more important than ever to use systems that are flexible and secure. We have previously written a checklist on preparing for CCPA, but the future will certainly bring with it changing requirements.
At MetaRouter, we have designed our Enterprise Edition specifically for organizations looking to stay on the forefront of compliance through agnostic private deployment and robust data conditioning. If you are ready to up your data infrastructure game to the next level, shoot us a message—we’d love to chat!