A year and a half ago, the General Data Protection Regulation (GDPR) — the world’s most far-reaching data privacy regulation — came into effect across the European Union. At the time, many affected companies both in and outside of the EU were caught unprepared, but the regulation did bring in changes in how data privacy was handled at many organizations and likely inspired future regulations.
Next up: the California Consumer Privacy Act. The final round of amendments for the CCPA finished in September, and the law takes effect on Jan. 1, 2020. When that happens, the same scenario that saw GDPR arrive with many organizations still unprepared looks likely to repeat itself. According to research from eMarketer done in July 2019, only 8% of U.S. businesses said they were prepared and only 34% said they expected they would be before the regulations came into effect.
The last round of changes to the law did give some reprieve to those who find themselves unprepared. The amendments to California’s data privacy act reduced the scope of the law, more concisely regulating consumer-facing activities, said Aaron Shum, practice lead in security, risk and compliance at Info-Tech Research Group.
“Many businesses scrambling to prepare for the CCPA are breathing a sigh of relief to the slightly relaxed definition of personal information, as the various exemptions and considerations introduced to align CCPA towards consumer rights rather than general privacy rights,” Shum said.
But the law’s provision for sanctions — including enforcement actions from the California attorney general on non-compliance and limited individual right of action for data breaches — remains, Shum said. Affected businesses need to prepare immediately, he said. Here’s a look at what that means.
Is the Enterprise Ready?
Who are those affected businesses? The definition is broad, which means the impact will be significant.
“The California Consumer Privacy Act will have a tremendous impact on the enterprise space by regulating enterprises that touch personal data, which is broadly defined,” said Dan Wu, a privacy counsel and legal engineer at Immuta. The CCPA doesn’t only affect consumer data, Wu said, but also the data of households and devices, pulling in a huge amount of information under the regulations.
“As a result, more companies that meet the CCPA's eligibility criteria will start by assuming personal data is regulated and focus their attention on collecting, managing, using it more safely,” Wu said.
But it looks like most companies won’t be fully compliant by the time California’s data privacy act takes effect, said Ilia Sotnikov, vice president of product management at Netwrix. “According to the white paper by IAPP [International Association of Privacy Professionals], only about 1 in 4 businesses are prepared for CCPA and just over half will be ready by January,” Sotnikov said. The result of that lack of preparation could be data breaches and high fines, he said.
The IAPP numbers are better than eMarketer’s findings, but still below what is needed. Many businesses remain behind the curve, but those that were subject to GDPR will have an advantage in readiness — though there are nuances between the two frameworks, said Steven O'Donnell, the head of Legal Operations at Mitratech.
Whatever the actual numbers, the takeaway is that many organizations are behind on preparation, with some so far behind that they cannot get ready in time. This echoes what we saw in enterprise readiness ahead of GDPR’s implementation in the EU, Wu said.
“The CCPA will affect a large number of businesses that gather personal data to provide personalized services to the consumers or commodify consumer data but never dealt with other compliance regulations, such as HIPAA [Health Insurance Portability and Accountability Act], PCI DSS [Payment Card Industry Data Security Standard], GDPR and the like,” Sotnikov said. “They will have to adapt on the fly.”
Wu predicted that automation will be a key part of dealing with the CCPA for enterprises, due to the complexity of their obligations under the law. This is likely to fuel the continued growth of the privacy tech market, he said — a market that saw its first unicorn in OneTrust emerge just this past year.
“The entire data privacy topic continues to evolve, but it is certain that legal and compliance teams across the country are rapidly approaching an inflection point where data privacy becomes a bigger consideration within their strategies,” O’Donnell said.
With the CCPA’s implementation still more than a month away, there is already talk of a new version of the legislation that would give it additional teeth. The group responsible for the private ballot that resulted in the CCPA has filed a new ballot for a California Privacy Enforcement Act that broadens the privacy requirements.
The changes proposed for such legislation so far are likely to make it even harder to comply with, Wu said.
“For instance, CCPA 2.0 involves additional consumer rights, business obligations over notice and ‘sensitive data,’ and an executive agency tasked with enforcing the regulation — thus making enforcement more likely,” he said.
However, some of the potential changes could improve the law, Wu said. For example, if the definition of de-identification is clarified to move closer to the Federal Trade Commission’s definition — one businesses are more familiar with — the enterprise strategy for exempting data from the CCPA’s scope could be clarified, he said.
There are upsides to the CCPA as it currently stands as well, Sotnikov said. It encourages businesses to regularly audit the data they collect and increase transparency, which can cut costs on data processing and storage by removing unnecessary data, increase visibility into business processes for further optimization and improve the findability of data not just for compliance purposes but for more efficient business operations, he said.
The CCPA should also help bridge the gaps between lawyers and technologists, Wu said. “Paired with the right cultures, strategies and roles (like ‘legal engineers’), new technologies can help overcome gaps to further compliant and ethical analytics,” he said.
Sotnikov does see the California legislation as a precursor to a national data privacy standard in the United States in the coming year. It would echo the GDPR scenario, he said, where scattered local laws became an EU-wide regulation.
Wu agreed, citing at least a dozen similar regulatory proposals at the state level. It’s hard to argue that the CCPA is directly responsible for those efforts, he said, but taken together they all represent larger social concerns over data collection and use.
“Awareness of how data can be misused to harm has heightened after Facebook's Cambridge Analytica [data scandal], before which Facebook's CEO believed ‘privacy was dead,’” Wu said. “In stark contrast, Mark Zuckerberg now believes ‘the future is private.’”