California’s new data privacy law brings U.S. closer to GDPR

The requirements aren’t insignificant, and the fines could add up

Data privacy has become one of the defining business and cultural issues of our time.

Companies around the world are scrambling to properly protect their customers’ personal information (PI). However, new regulations have actually shifted the definition of the term, making everything more complicated. With the California Consumer Privacy Act (CCPA) taking effect in January 2020, companies have limited time to get a handle on the customer information they have and how they need to care for it. If they don’t, they not only risk being fined, but also loss of brand reputation and consumer trust — which are immeasurable.

California was one of the first states to provide an express right of privacy in its constitution and the first to pass a data breach notification law, so it was not surprising when state lawmakers in June 2018 passed the CCPA, the nation’s first statewide data privacy law. The CCPA isn’t just a state law — it will become the defacto national standard for the foreseeable future, because the sheer numbers of Californians means most businesses in the country will have to comply. The requirements aren’t insignificant. Companies will have to disclose to California customers what data of theirs has been collected, delete it and stop selling it if the customer requests. The fines could easily add up — $7,500 per violation if intentional, $2,500 for those lacking intent and $750 per affected user in civil damages.

Evolution of personal information

It used to be that the meaning of personally identifiable information (PII) from a legal standpoint was clear — data that can distinguish the identity of an individual. By contrast, the standard for mere PI was lower because there was so much more of it; if PI is a galaxy, PII was the solar system. However, CCPA, and the EU’s General Data Protection Regulation GDPR, which went into effect in 2018, have shifted the definition to include additional types of data that were once fairly benign. The CCPA enshrines personal data rights for consumers, a concept that GDPR first brought into play.

The GDPR states: “Personal data should be as broadly interpreted as possible,” which includes all data associated with an individual, which we call “contextual” information. This includes any information that can “directly or indirectly” identify a person, including real names and screen names, identification numbers, birth date, location data, network addresses, device IDs, and even characteristics that describe the “physical, physiological, genetic, mental, commercial, cultural, or social identity of a person.” This conceivably could include any piece of information about a person that isn’t anonymized.

With the CCPA, the United States is playing catch up to the GDPR and similarly expanding the scope of the definition of personal data. Under the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes a host of information that typically don’t raise red flags but which when combined with other data can triangulate to a specific individual like biometric data, browsing history, employment and education data, as well as inferences drawn from any of the relevant information to create a profile “reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”

Know the rules, know the data

These regulations aren’t checklist rules; they require big changes to technology and processes, and a rethinking of what data is and how it should be treated. Businesses need to understand what rules apply to them and how to manage their data. Information management has become a business imperative, but most companies lack a clear road map to do it properly. Here are some tips companies can follow to ensure they are meeting the letter and the spirit of the new regulations.

  • Figure out which regulations apply to you

The regulatory landscape is constantly changing with new rules being adopted at a rapid rate.  Every organization needs to know which regulations they need to comply with and understand the distinctions between them. Some core aspects CCPA and GDPR share include data subject rights fulfillment and automated deletion. But there will be differences so having a platform that allows you to handle a heterogenous environment at scale is important.

  • Create a privacy compliance team that works well with others

Privacy regulation compliance is a team sport — not solely the responsibility of the privacy office, but a partnership between that unit and departments including security, IT, ata governance and and even engineering. It’s not sufficient practice to draw up privacy policies and data flow maps in the privacy office, do a Privacy Impact Assessment and call it a day. You’ve got to instantiate privacy compliance operationally at the IT level and be able to leverage privacy programs to protect sensitive data in a security context and apply the concept of personal information into governance so you understand which data is covered and how it can be used. You need to build privacy into the fabric of the enterprise.

  • Adopt prevailing privacy frameworks

Privacy compliance doesn’t mean you have to reinvent the wheel. There are privacy frameworks that are incredibly useful in providing prescriptive advice for finding and managing data for compliance purposes. For example, the National Institute of Standards and Technology (NIST) has a helpful and instructive privacy framework that provides a blueprint for organizations to identify, assess and manage privacy risks. It provides guidance for addressing privacy at every level and reflects the collective wisdom of the community. Organizations provide input on the framework and the standard is updated over time. These frameworks try to anticipate future proofing, like how to design privacy programs and anticipate challenges that don’t exist today but may come down the road. They tend to be comprehensive in nature and address the relationship of privacy and security and other related disciplines.

  • Map, inventory and classify all your data

It would be impossible to try to manually inventory all the structured and unstructured data residing in data warehouses and elsewhere in organizations today. Companies need to deploy privacy-centric data discovery systems to be able to distinguish the information they have that would be considered personal data under regulations that apply to them and understand identity based on whose data they have, where it resides and how it is used. Machine Learning can be used to automate these processes, replacing manual search and find efforts with surveys and spreadsheets. Because the regulations have expanded the definition of personal information, it’s not enough for companies to just find data of a particular type; they need to figure out if the data is associated with an individual, and if so, which person. Linking all the data a company collects, processes and shares to a specific individual is crucial for compliance.

  • Automate privacy workflows

Mapping, inventory and classification serve as the foundation for automation of key compliance requirements of privacy regulations. Organizations need to have the ability to fulfill new obligations like responding to requests from people who want to opt-out or delete their data and verify their identities, as detailed in latest draft guidance released in October by the California State Attorney General’s office. CCPA enforcement is focused on unauthorized third-party data sharing and deletion request fulfillment. Those are workflow processes that can — and should be — automated to ensure continuous compliance going forward.

  • Prepare for sustainable compliance

Compliance can’t be viewed as a single act or point-in-time event because data in your organization is constantly changing and moving around. Fulfilling user requests is an ongoing process, so you have to make sure you can respond at scale as the data state grows and changes. This requires tools to continuously map and automate to allow you to maintain compliance on a greater scale as things change over time. A recent survey found that only half of respondents said they were compliant by the May 25, 2018, GDPR deadline, despite having two years’ notice, and most took seven months or longer to get there. The CCPA takes effect January 1, 2020, and enforcement begins July 1, 2020. It’s never too early to get started, but it can be too late.

There is much to consider on the road to achieving CCPA (and even GDPR) compliance, but understanding what personal information is critical. Knowing where all your data resides and how it’s classified will help ensure that the data is accurate and managed properly under the new regulations. This personal data quagmire will get even worse as additional states enact data privacy legislation and if a federal law is adopted, but setting up systems to discover and identify data and enable new governance processes now will help with compliance regardless of what future regulations call for.