Enterprises have made considerable investments complying with the European Union's (EU) General Data Protection Regulation (GDPR). Many of them scrambled to get into compliance at the last moment because they didn't understand the regulation or they weren't sure how to implement it. Confused or not, organizations faced and still face the staggeringly high cost of non-compliance, which could be 20 million Euros or 4% of a company's annual turnover.
Now businesses also have to consider the California Consumer Privacy Act (CCPA) which is will go into effect on January 1, 2020. The act isn't set in stone because it could be amended as the result of midterm elections. Alternatively, it could be preempted by a federal equivalent.
The CCPA currently states that California citizens have a right to know about all of the data a particular business has collected about them and the purpose of that data collection. They also have the power to stop businesses from selling their information, and the right to sue companies that collected personal information that was subsequently stolen as the result of a data breach.
Citizens will be empowered to delete data they've posted and are entitled to know in advance what categories of information are being collected about them at the point of collection. They are also entitled to notice if there are any changes in regard to that data collection.
Further, businesses may not discriminate against anyone for opting out of personal data collection, such as charging them more for products and services.
The sale of personal information to third parties is also covered. Citizens have a right to know with which third parties their data is shared, as well as the categories of information sources from which their data was acquired.
The CCPA applies to entities including sole proprietorships, partnerships, limited liability companies, corporations, associations and other for-profit organization that collect consumers' personal information and do business in California if one or more of the following apply:
- The organization has annual gross revenues in excess of $50,000,000 (an adjustment may apply)
- The organization annually sells the personal information of 100,000 or more consumers and/or devices; or
- The organization derives 50% or more of its annual revenues from selling consumers' personal information.
"A lot will depend on the upcoming election results. Regardless of where this law might end up, it's not going to be passed 51/49," said Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals (IAPP). "There are consumer protection groups on one side, business trade groups on the other side and some companies are in the middle. I think the midterm elections will give us more insight into which side of the spectrum will have more pull and more clout in the process."
What more privacy laws mean for enterprises
More compliance requirements mean greater administrative complexity requiring additional resources and expertise. At one point, the IAPP estimated that 75,000 data privacy professionals would be hired as a result of GDPR, but recently Tene learned that there are now 75,000 data protection officers registered in France alone.
"The first thing you need to consider is what you are doing with data and where is it located. Not only do you have to indicate what you're collecting, but if a consumer asks about it, you have to explain what business information you have collected about that person, which is pretty broad undertaking," said Joe Lynyak, a partner at law firm Dorsey & Whitney. "It may also mean that people may want to sanitize information about consumers without going into a recitation of what we've been gathering about you for several years."
The next issue is to whom the business is selling information. Answering that question requires open communication lines in various parts of the business.
An important point to note is that like GDPR, the fact the CCPA pertains to a specific location does not mean it only applies to businesses located in that jurisdiction. When it comes to business law and the CCPA, there's the legal notion of "minimum contacts," which essentially means if you're doing some level of business with an entity or entities in the state jurisdiction, even though you're located in another jurisdiction the law applies to you or your business.
"California takes the position that you don't have to have physical contacts (i.e., an office) in California to be covered under California law because California has the right to protect its citizens," said Lynyak.
Lynyak thinks the lack of necessary expertise will be an issue for many organizations because the additional compliance will require additional overhead.
"When you think about what a project plan needs to cover, it's very complicated," said Lynyak. "There's a lot of overhead associated with compliance from both technology and legal perspectives."
For example, Lynyak indicated one company decided that the overhead associated with GDPR wasn't offset by the amount of business the company was doing in the EU, so it decided to sell its products through a third party to avoid the potential liability.
"If you have to comply with GDPR, non-US state privacy laws and US privacy laws do you need three separate systems or a one-size-fits-all," said Lynyak. "If it's European privacy, where are the servers located and what are you doing with the information in the US if you're not dealing with it in Europe. It's going to be an evolving process of what works, what doesn't, what's going to get you in trouble and who's going to audit you to ensure you're in compliance."
Bart Willemsen, senior research director at Gartner said having a uniform approach is the most practical approach because, otherwise, companies have to go through audit cycles of each set of requirements, which causes audit fatigue, keeps people from doing their regular jobs and creates confusion in the workplace.
"How many companies have 13 or 14 different security requirements/frameworks they're confronted with on a global scale, how many of those actually conduct 13 or 14 different audit cycles?" said Willemsen. "If a global entity is confronted with the planning assumption that in five years 50% of the world's population will be protected by GDPR and similar privacy environments, each has their own different interpretation, detailed differences. If you know what you clients want, you can baseline it, at least most of it, and make exceptions when you absolutely have to."
Before the CCPA, liability for harm in regard to data use has depended on whether the complaining party actually suffered some sort of material damage or loss. The CCPA allows statutory damages in the case of a data breach which are explained at length in the language of the Act itself.
Who should be held accountable for privacy?
"Step number one of every compliance activity in terms of privacy regulation should be to place accountability where it belongs, with the business," said Gartner's Willemsen. "[The only thing] a security professional, privacy professional, CIO or IT director can do is to confront the business with a choice-based [option] or a risk that's assessed and let the business make the decision. Specifically, with international relations such as cross-border transfers or where can I keep doing business in a uniform approach, the business needs to make the decision. That's something almost every organization struggles with."
Company executives should review the company's business goals and ponder whether those are still achievable using less personal data. If not, the company may choose to redefine its goals in a way that can be achieved within the confines of privacy requirements. Alternatively, they may decide whether the potential risks of staying the course are worth taking.
"Organizations make changes based on two negatives and two positives. The two negatives are when someone outside your organization tells you to change something (in this case rule makers and regulators, etc.) and to avoid negativity, (in this case sanctions and in some cases imprisonment)," said Willemsen. "The positives are that organization or board levels discuss and decide this is the type of organization we want to be regardless if what other people tell us or [they decide] to create something positive [that enhances] consumer trust and satisfaction because what business do you have if you don't have a customer?"
A lot can happen between now and the outcome of the mid-term elections, so this is only a status report of the way the Act reads at this point in time. Like GDPR, there will be a lot of issues to discuss that impact business and technology professionals, but what organizations need to do specifically is still unknown.