What the CCPA Signals About the Future
California is leading the way to pass meaningful legislation on data privacy and cybersecurity. The new California Consumer Privacy Act (CCPA) is a strong complement to the EU’s GDPR, although many businesses will need to comply with both regulations. This primer by CipherCloud’s Anthony James on the CA AB 375 details the many new rights and entitlements for California consumers and what companies should do to comply by January 1, 2020.
California just passed the California Consumer Privacy Act, also known as California AB 375, which goes into effect on January 1, 2020. This California regulation is part of the whirlwind of global legislation impacting data privacy and cybersecurity. California is not alone in efforts to legislate the protection of data privacy. Earlier this year, on Capitol Hill, U.S. Senator Ron Wyden (OR) introduced a discussion draft (SIL18B29) for a proposed national Consumer Data Protection Act. SIL18B29 includes very tough penalties for companies that violate your data privacy, even potentially including prison time for offending CEOs.
U.S. Senators Elizabeth Warren (MA) and Senator Mark Warner (VA) have also sponsored a bill now in draft (S.2289) for a national Data Breach Prevention and Compensation Act. This act is focused on credit bureaus and other entities that hold consumer data. These definitions could extend further to a variety of business types, including digital marketing firms and more.
Outside of the United States, there is also considerable legislative activity around data privacy. Most visible and very much in the news at the Paris Peace Forum, President Emmanuel Macron announced the Paris Call for Trust and Security in Cyberspace. The Paris Call is intended to get nation-state-level agreement to basic principles of cybersecurity behavior. Earlier this year, on May 28, the European Union (EU) General Data Protection Regulation (GDPR) became operational as the toughest data privacy law worldwide. The GDPR defines many difficult requirements that must be met by any business utilizing the sensitive and private data of European Community citizens.
California’s new legislation AB 375 is very similar in most ways to the EU GDPR, but lacks some of the teeth that GDPR brings with massive fines per violation. AB 375 will apply to any business with more than $25 million in revenue, or that buys or sells the personal information of 50,000 or more consumers or that derives 50 percent or more of its annual revenue from selling consumers’ personal information and that does business in the state of California.
GDPR has an inviolate 72-hour window for breach notification, which AB 375 doesn’t. In most other areas, the legislation is quite similar and suggests the need for broadscale changes to corporate operating procedures, applications and software systems. The legislation directly includes references to the “personal data misused by a data mining firm called Cambridge Analytica.”
AB 375 emphasizes data protection rights as critically important, as do other compliance laws, such as GDPR. Encryption stands front and center as a protective measure to be used by any business. Consider that any “consumer whose non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.”
Not only is encryption essential, but the legislation also delineates the technical requirements for technologies, such as tokenization through reference and the supplied definition of “pseudonymization.” Pseudonymized data, also referred to as “de-identified data,” is defined in the legislation to mean the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information. This pseudonymized data is caveated with the provision that the additional information is kept separately and is subject to additional technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
When data protections fail, consider the potential penalties. The potential penalties for failing AB 375 range from actual damages to injunctive or declaratory relief to any relief the court deems proper. Consider the impact of a Cambridge Analytica and then consider what a court might decide. Could individual consumer rights be combined in a class action suit to collect damages against a social media company for the breach of their data? How will the court decide damages?
In any case, this new law provides many new rights and entitlements for California consumers. These include:
- The right of Californians to know what personal information is being collected about them and to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to request that the business provide information about the categories of personal information that has been collected about a consumer, the categories of sources and much more.
- The right of Californians to say no to the sale of personal information. This opt-out should be honored for a period of 12 months before requesting this again from the consumer.
- The right of Californians to request that a business delete any personal information about the consumer that the business has collected from the consumer.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights. That means they cannot deny goods and services to a consumer that opts out or charge different prices or rates for goods and services.
- A 45-day response time for requests made to the business and not more than twice a year for the same information.
- Clear, conspicuous links on the website entitled “DO NOT SELL MY PERSONAL INFORMATION” that goes to a form the consumer will fill out. The law is explicit in this requirement.
- Personal information under this law is very broad and includes real name, alias, postal address, account name, social security number, driver’s license number, passport number and other similar identifiers. It specifically includes many other categories of data, such as biometrics (specifically including DNA data), internet search and browse data (anything used for digital marketing), geolocation data, employment information and much more. It even addresses “probabilistic identifiers,” meaning the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
The implications of AB 375 are huge and a harbinger of what is to come. Other U.S. states will introduce parallel legislation. It is incumbent on organizations that wish to be compliant to bring in the necessary cyber defense tools. This must include end-to-end encryption, tokenization and much more to reduce the risk of a cyber breach. You will need to harden your defenses both on-premise and in the cloud.
Vendor application systems, particularly those vendors in the digital marketing domain, customer relationship management, customer service, social media, publications that collect digital data, advertising networks, search engine, banking and insurance will need to have controls added and the automation to manage, at least in part, this legislation.
You may need one notice for GDPR and then another for AB 375, as explicitly defined and directed by this legislation, on your homepage. Large companies such as Facebook and Google have likely spent millions of dollars to assemble most of these controls to meet GDPR and now just need to adjust their strategy a bit.
Many U.S. based companies have temporarily dodged the requirements of GDPR, as they are not collecting data in the EU or doing business there. Or perhaps they are banks and financial institutions that operate regionally within the United States. Perhaps some of them are just ignoring the requirements for now. But it is hard to believe that most of these same U.S. companies are not doing business in California. They will have to take concrete steps to comply with the pending legislation. For most, this will be a huge administrative and software development burden. Cyberdefense strategy will need to be improved. Many businesses will not be ready by January 1, 2020, to support the needs of this legislation adequately.