In June 2018, California passed far-reaching data protection and data privacy law — the California Consumer Privacy Act (CCPA). It will regulate how businesses gather, handle and process the personal information of California consumers in order to address the increasing need to protect individual privacy.
The CCPA does not become effective until January 1, 2020 — but as of that date, consumers will be able to require organizations to provide all personal data they have collected about them during the preceding 12 months. That means that organizations need to ensure they have a CCPA roadmap — ideally, by the first of this year --, but certainly no later than January 1, 2020.
As you work on your CCPA compliance plan with business stakeholders and legal counsel, you should be aware that the legislation is far from clear. Here are six aspects of the CCPA that will require particular attention.
#1. Lack of clarity about who must comply
The CCPA applies to any organization that meets one or more of the specified criteria. Those criteria seem clear — except for one that requires compliance from any organization that receives, sells or shares “the personal information of 50,000 or more consumers, households, or devices.”
How should businesses count consumers, households and devices? If an individual logs in to a website from their laptop, their smart TV and their smartphone, does that count as one consumer, three devices, or one consumer plus three devices? And what if multiple family members log in from a shared device using different accounts? There is no way to answer these questions confidently. Most likely, the decision will be up to your senior management and compliance professionals.
#2. No guidance on how to verify consumer requests
Consumers have the right to request their data be deleted, as well as the right to know what data is being collected, the purpose of the collection and with whom it is shared. Since someone might impersonate a consumer in order to obtain their personal information for use in fraud schemes, the CCPA requires businesses to “promptly take steps to determine whether the request is a verifiable request” — but it provides little guidance on what steps are necessary and reasonable. Moreover, it requires them to respond to requests within 45 days. Under that pressure, businesses with few compliance resources might fall prey to fraud in their rush to respond.
#3. No definition of what constitutes reasonable security procedures and practices
The CCPA gives consumers the right of action if their “nonencrypted or nonredacted personal information” is improperly accessed, stolen or disclosed “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” But beyond the mention of encryption and redaction, there is no definition of what measures are “reasonable,” so, again, you must work with your management and compliance experts to determine how to proceed.
#4. No explanation of what’s required to “cure” a consumer’s complaint
Consumers who believe their PII has been mishandled in violation of the CCPA must provide the organization with 30 days’ written notice before taking legal action. The company can avoid damages by curing the violation during that 30-day period. That’s a good thing for businesses, especially smaller ones that are new to compliance. However, CCPA does not define “cure” or specify how regulators will determine whether a given response addresses the violation fully.
#5. Limitations on a consumer’s right to deletion
The CCPA grants consumers the fundamental right to delete their data — but there are many restrictions. For example, the right applies only to data collected from the consumer and not to data about the consumer collected from third-party sources. Thus, to erase all their personal information from the repositories of a given company, a consumer must hunt the thresholds of all the third parties the company might be working with. Good luck with that.
In addition, the CCPA exempts organizations from complying with a request to delete data for a host of reasons, such as if that data is necessary to exercise free speech or another legal right; comply with a legal obligation; or meet the public interest; or perform a contract between the business and consumer.
In fact, the list of exceptions is so broad that companies can come up with legitimate excuses not to delete data at all. Since that renders the right of deletion nearly meaningless, the Attorney General could very well tighten the exceptions. Therefore, businesses need to be ready to comply with the deletion right as written but also be prepared for changes.
#6. Potential overlap of data protection laws
The abovementioned complexities and uncertainties of the CCPA are enough to keep IT and security pros busy for quite some time. But there’s more. The CCPA is just one of many data protection laws on the books or in the works. There is the GDPR, of course, and New York and Colorado have recently enacted privacy laws as well. As concerns about data privacy continue to grow, organizations will likely have dozens of different yet overlapping local, state, federal and international laws to juggle, each with its own provisions that lack clarity. As a result, ensuring and proving compliance will become even more burdensome.
Despite these concerns, there is a silver lining: the CCPA and related laws are an encouraging sign that the U.S. is taking steps toward enforcing a privacy-conscious approach to doing business.
About the Author:
Ilia Sotnikov is vice president of product management for Netwrix, a provider of information security and governance software.
