Steps to Prepare for California’s New Consumer Privacy Act of 2018

[Please Note: The following post is a broad overview of a consumer’s key privacy rights and not legal advice; work with your internal counsel to patch gaps between the GDPR and CCPA as needed.]

Imagine you’re a company with 1,000 customers and one day, your customers sue you for data security breaches totaling $750,000. Next week, you and your organization face a class action lawsuit for privacy violations totaling $10,000,000.

The California Consumer Privacy Act of 2018 (“CCPA”) taking effect on January 1, 2020 makes this scenario possible very soon.

For each data breach under the CCPA, an eligible customer (i.e. California resident) can demand up to $750. For each violation of a CCPA provision, an eligible customer in a class action can obtain up to $10,000 if the CA Attorney General declines to prosecute and your business does not cure its violations within 30 days. CA – the most populous state in the United States – joins other states with data privacy laws, including Vermont, Colorado, New Jersey, and Washington in leading data regulation.

While organizations can build on their GDPR efforts to be in accordance with new CCPA rules, meeting GDPR laws by itself does not mean an organization meets CCPA rules. Organizations should consider these three steps to prepare for the CCPA.

First, determine whether the CCPA applies to your business. If your company is small enough or does not deal with CA residents, the CCPA may not apply.

  • Does your organization meet the eligibility threshold? Over half a million companies are likely affected. The CCPA regulates companies that meet any of these three conditions: (1) achieve gross revenues that exceed $25 million, (2) sell data on over 50,000 consumers in any single year, or (3) derive at least 50 percent of its revenue from selling consumer’s personal information (see Section 1798.140(c)). In contrast, the GDPR affects all organizations, including non-profits, established or offers goods or services in the EU.
  • Does your organization deal with CA residents? The CCPA defines a “consumer” as a California resident – a person who intends to reside in CA for the long term (see Section 1798.140(g)). As a result, this includes those who live in other areas, but intend to come back to CA for the long term.
  • Does your organization collect personal information (PI) on CA residents? Given the broad definition of personal information in the CCPA, the answer is likely yes. The CCPA regulates “any information” relating to a person or household (Section 1798.140(o)), as well as, going beyond GDPR, data from devices and inferences drawn from other information to create a profile about a consumer. As a result, the CCPA even regulates data that is not linked to a name, such as a household’s water consumption. Limited exceptions apply. For instance, the CCPA excludes information that is publicly available (Section 1798.140(o)(2)) or created due to conduct entirely outside of CA’s borders (Section 1798.145(a)).

Second, coordinate with your company’s existing GDPR efforts. If Capgemini’s survey is correct, you’re like the other 85 percent of firms that did not fully meet the compliance requirements on time. While GDPR compliance helps with CCPA compliance, there are major differences, as the table below illustrates. For instance, note that the CCPA has the right to equal service and mandates businesses to include communication channels for their users to opt-out of data sharing

Right CCPA Compared to GDPR
Big picture difference Focus on consumer rights, especially disclosure and transparency. While it has heavier prescriptions on some, unlike GDPR, it’s missing a few rights, such as the right to rectification and object. While GDPR also delineates consumer rights, it’s much more comprehensive. It also prescribes data practices, such as retention and encryption policies and the appointment of data protection officers.
The right to information and access Companies must proactively disclose access rights and the categories of PI, their purposes (and be notified if companies diverge from that purpose), and categories of third-party buyers for the prior 12 months. Consumers can also request this data for the preceding 12 months. Must include communication channels for these requests, including a toll-free number and online form.

Third Parties

Businesses that sell PI to third parties must enter into written agreements with that party, who can then only use the data for the purpose of the contract.  A third party that seeks to resell PI must give the original consumer explicit notice and an opportunity to opt-out of that resale.

Similar under Articles 15 and 20. The CCPA has (1) less strict response time – the GDPR requires “undue delay,” while CCPA requires 45 days; (2) broader access rights, while GDPR has more exceptions, such as withholding data that would implicate the privacy interests of third parties, and (3) more prescriptions, such as required communication channels for requests.

Third Parties

The CCPA goes beyond GDPR’s Article 28;  GDPR only asks for the original company’s consent and the signature of a new written agreement. The data subject, however, can retract their consent, to the extent that the sale of personal data was based on the data subject’s consent.

The right to portability Can receive PI that is structured and machine-readable to transmit to other companies. Similar under Article 20, but the CCPA requires companies to provide portable data formats without the customer specifically requesting it.
The right to erasure Business must delete once it receives a request, unless data deals with an assortment of conditions such as data security, repair errors, and compliance. Article 16 also provides a deletion right, but the right is much narrower, specifying specific conditions allowing for deletion, such as PI no longer being necessary for its original purpose.
The right to opt-out Consumers can opt-out from the sale or processing of PI. In their privacy policies and homepages, businesses must disclose the right to opt-out and provide communication channels like an online form and toll-free number, specifically stating “Do not sell my personal information.”

Minors

Businesses who sell the data of CA residents under 16 years of age must get affirmative consent.

The framework in Article 21 is different: the sale or processing of PI likely requires upfront consent that data subjects can revoke at any time.

In contrast, the CCPA does not require explicit consumer consent to gather PI, but rather provides mechanisms (such as required text and toll-free numbers) for them to opt-out.

Also note that GDPR doesn’t require consent either; it’s only 1 of 6 lawful bases for processing data.

Minors

GDPR’s Article 8 is similar.

The right to equal service Consumers who exercise their privacy rights will get the same level of service and prices as those that do not, unless the difference is reasonably related to the value provided by the PI. Companies can also offer financial incentives to consumers for the sale and collection of their PI. Absent in the GDPR.

Consider tools to simplify your compliance.

Compliance with the CCPA and the GDPR can be difficult for numerous reasons, including:

  • No single view of customer. Due to hundreds or even thousands of different databases about your customer, you don’t have a single view of your customer. Because your sales, customer service, and marketing departments are collecting customer data separately, your algorithms may be using redundant or outdated data, generating incorrect customer insights. When you do try to compile customer insights, access to each database takes days because database administrators have to manually grant them. Relevantly for the CCPA, you may not even be sure you’re giving customers all of their relevant data or know which customers are CA residents or minors. The thought of meeting the 45-day deadline to return data requests seems impossible because of how difficult it is to get data now.
  • Many users with different permissions. Since different databases have varying policies around who can access these databases and why, it’s highly possible that users and third parties – like Cambridge Analytica – are violating the resale or purpose restrictions of those databases. Your manual systems make it difficult to consistently document and audit data user behavior, leaving your bases uncovered.
  • Changing regulations require updates. Your company has thousands of databases and users. Existing policies are written in complex code require a slew of data technicians to implement. For instance, GDPR may require you to mask certain data fields when users ask for PI. When new regulations, like CCPA come into existence, ensuring compliance across various datasets becomes a multi-year effort across legal and IT departments, costing millions of dollars of time and money.

However, you can’t just request customers to waive their rights; under the CCPA, these are unenforceable, deemed as contrary to public policy. Even more, these types of shortcuts destroy customer trust.

Given the compliance difficulties outlined above, data regulations require scalable approaches. Instead of reacting to the changing regulatory landscape in surprise after each new regulation, data governance tools – like Immuta – put you one step ahead as a data-first, customer-centric business:

  • No single view of customer – consider data virtualization. This method integrates data from disparate sources, without replicating the data, creating a “virtual” data layer. For the data to which they have access, users see just one set of data. They no longer have to recreate the wheel to discover which databases have relevant customer information or search through multiple databases and waste their time.
  • Many users with different permissionsconsider data personalization and audit logs. Based on a user’s attributes – such as the group they’re a part of or where they work – Immuta’s data personalization allows you to ensure only the right users get access to the data they should. The platform does so by recognizing users’ attributes and inserting conditions to users’ queries – based on the user’s attributes – to limit their results. When users or third parties access data, Immuta logs those actions, creating documentation that can protect the company and identify rogue users who violate policies.
  • Changing regulations require expensive updatesconsider natural language options. Instead of having to write code to filter or mask data to protect PI, Immuta’s policy builder uses natural language to help non-technical lawyers or compliance officers govern data appropriately. So instead of writing Python code, your data governors, for instance, can choose drop-down options that easily allow them to limit data for customer insight purposes and mask data columns involving age for those in the accounting department.

Conclusion

Ethical data science is good data science. Advanced data governance tools – like Immuta – allow you to practice ethical data science painlessly. By connecting different databases in a single virtual layer, personalizing access to data, and easily applying regulations without code, Immuta allows you to practice “data protection by design.” No more ad-hoc responses to comprehensive data regulations or addressing regulatory issues at the end. You’ve designed a new system that seamlessly protects your customer’s data from the very beginning.

While nightmares of lawsuits related to new data policies and laws can be daunting for enterprises, the silver lining of data regulations like the CCPA is that is forces enterprises to take responsibility for how they access and use data – ensuring data is used ethically and with consumer consent.

GDPR and CCPA helps data science program leaders to convince key stakeholders to invest in data infrastructure that companies like Google and Facebook have had in place for years. In your grasp are a better understanding of your customer, trustworthy data, and more engaged prospects of those opted-into your business. GDPR and CCPA are tools to help your organization transition into a data-first, customer-centric business.

Less garbage in means more diamonds out. Learn more about creating a trustworthy data science program that will appeal to consumers and enterprise prospects by visiting.

*Dan Wu is Privacy Counsel & Legal Engineer at Immuta, the world’s leading data management platform for data science. He holds a J.D. and a Ph.D. from Harvard University.

–––

An edited version of this post originally appeared in ITProPortal; click here to view: https://www.itproportal.com/features/steps-to-prepare-for-californias-new-consumer-data-privacy-act-of-2018/.