 |
 |
 |
The California Consumer Protection Act
The California Consumer Protection Act or AB 375 came into effect in January of 2020 with a small pique of interest by some, trepidation by others and confusion by some more.
Consumer privacy reform joins the growing list of legislative reforms that California has taken over recent times along with net neutrality, carbon emissions reduction, renewable energy, representation of women on company boards and many more. If one word were to describe this reform, I would say overdue. Nonetheless it’s here and it’s a bear trap for any personal data warehouse or ad-tech firm to get caught in, if they run afoul. In the next sections we’ll take a look at what CCPA is about.
Brief Primer
Building on pre-existing privacy laws such as CalOPPA and Shine the Light Law, CCPA was perhaps a logical step by the California state legislature to respond to mega breaches of the Equifax (147m records) variety and the reckless behavior of Facebook in the Cambridge Analytica scandal.
As a refresher, Cambridge Analytica was the UK firm that harvested 50 million Facebook user accounts for personal data that was used for political campaigning by the Republican party in 2016 unbeknownst to EU and US citizens alike.
With european data protection regulations (called GDPR) enacted in May 2018, California decided to implement a similar but more light-touch version of the rules then those enacted in Europe, but nonetheless California has met resistance (predictably) from companies in the US who maintain that one federal law would be better than trying to meet several different state laws where they do business in.
Rule Highlights
So what’s in the CCPA. First of all there’s an official fact sheet from the California OAG which is found on their main landing page which details the new law. To summarize the regulations, I’ve broken it up into the sub-sections below.
Applicability: It applies to any qualifying business, in any country who has customers or employees based in California. Qualifying businesses being those who have annual gross revenues in excess of $25 Million or trades data on more than 50,000 customers annually or derives 50% or more of it’s annual revenue from selling personal information.
Sanctions: California consumers may invoke the new law where enforcement actions may include a $2,500 penalty per record for an unintentional violation and $7,500 penalty for an intentional violation. (If Cambridge Analytica happened today, that would be 50 million multiplied by $7,500 or 375 with nine zeros).
At a lower level, the act allows a “Private right of action” for California Residents, allowing claims of $100 to $750 per incident, whether actual harm is proven or not. This law is tied to the recently updated California Data Breach Notification Law AB 1130 which defined data in scope including driver’s license, social security number, email address, account numbers, as well as medical, health and biometric information.
You have the Right to… Well not the Miranda variety but I’m sure there would be lawyers involved nonetheless for any company being questioned about suspect breaches. The act sets out the following rights,
1: The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
2: The right to delete personal information held by businesses and by extension, a business’s service provider;
3: The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
4: The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA 
GDPR Similarities:
CCPA has been called GDPR Lite in that it does seem to be a reduced version of the European GDPR regulations. There are notable differences including the important concept of prior consent vs opt-out. Prior consent in GDPR establishes a legal basis where companies must get specific acceptance from consumers before processing it. Opt-out in CCPA does not require consent in advance, it simply allows California residents to request that their information be removed from data processing activities.
This approach is in line with the overall theme of CCPA vs GDPR, which is transparency focused vs privacy by default focused. It can also be said that GDPR investigatory powers are broader than what’s been defined by the OAG. GDPR provisions for “supervisory authorities” ability to conduct audits of companies suspected of being in breach with the GDPR. issuance of warnings, order of data controllers to comply with the GDPR, imposition of bans on processing, issuance administrative fines and erasure of wrongfully obtained data. This level of remedy has not yet been defined to this degree for CCPA enforcement but it may get there soon. So now we’ve been primed with regulatory background, let’s take a look at how innovation, particularly RegTechs are likely to meet the challenge.
Compliance Automation
First, lets visit the automation technology that’s powering innovation in response to regulation over the years and what we can expect with CCPA. Here’s one showing how Data Analytics and AI are contributing to over 60% of solutions developed to automate compliance. (Alvarez / Marsal from Burnmark (a fintech research company) from 2018).
The reason for showing you this, is to put a frame around where RegTech innovation is happening. A huge part of if is focused on automation, which is perhaps the only way going forward to keep up with the acceleration over time of regulatory changes in the last twelve years. This pace is reflected in the infographic below, which hasn’t yet caught up to CCPA in 2020 but we can see where it’s going.
Regulated firms are paying attention to these solutions and skill sets that can deliver them (data scientists, privacy practitioners like myself, legal professionals etc).
The stakes are high for non-compliance as we see from government statistics. In 2019, the SEC published 2,754 enforcement actions, including 95 against public companies — the highest number in a decade.
One only has to look at a history of the largest data breach Fines to see how severe the implications can be of not tackling regulations effectively.
Innovators in the Spotlight
Despite the pandemic, investment and innovation goes on as you can see if you read my previous article “Black Swan Day“. Innovation for CCPA compliance is made considerably easier for those companies who were already touting GDPR solutions in their RegTech portfolio. I took a swatch of 3 companies that are innovating in the data privacy space with different implementations of data analytics, machine learning and robotic process automation. I should point out, that I’m not here for product endorsement reasons and have merely researched various solutions that I found to be innovative.
Privitar is one such company which falls under the data analytics category. In early April 2020, they managed to secure a tidy $80 million in series C funding from Accel, Partech, IQ Capital, Salesforce Ventures and ABN AMRO Ventures. Needless to say they have been attracting a lot of household name clients like HSBC and Citi.
Privitar leverages the concept of data de-identification which separates PII such as SSN’s from a data set and stores it separately with only a unique identifier linking the two. Different technical techniques are cited on their page including Data Tokenization, Data Encryption, Data Generalization, Data Masking, Perturbation, Redaction and Substitution.
CEO Jason Du Preez described two of their products to TechCrunch back in 2017 which were Privitar Publisher, which “takes sensitive data and applies a privacy policy to create an anonymised copy which can safely be used for investigative analytics, machine learning, and sharing with trusted parties” by way of tokenization and encryption of identifying fields. The second product was Privitar Lens is a “privacy-preserving query interface for reporting and statistical analysis. Privitar Lens allows analysts to perform sophisticated analytical queries of the data (e.g. counts, sums, histograms), but prevents direct access to the underlying sensitive data,” which is also known as differential privacy. In short, the innovation here is the advanced big data analytics and algorithms at work to successfully de-identify and re-identify data which is really purpose built for CCPA and GDPR type regulations.
Another innovator in the field is Ascent RegTech and their RegulationAI solution which uses Machine Learning and Natural Language Processing to “ingest hundreds of regulations and rapidly determine which obligations apply to your business”. In other words, an automated way of creating an obligations register which identifies what an where in your organization falls under which regulation. It uses a “Change Regulation” engine to identify regulatory changes and provide customer with side by side (old vs new) rule changes.
Lastly Kofax and Lekab launched a joint venture to use RPA (or Robotic Process Automation) to automate many of the data privacy tasks such as fetch my data, A robotic routine to fetch all the data you have stored on them, and where that data is stored forget me, a routine to delete data held on customers on all internal systems check my compliance record, tells you who has access to the data in question, and show you what your status is in terms of data privacy compliance And create new customer data (customer onboarding for example) that is checked for compliance. These robotic routines could have significant time and cost saving potential, particularly for large organizations handling lots of personal data.
In Closing
CCPA, GDPR, New York Shield and other regulations are driving an age of automation in the RegTech space and it has to be said that the innovation is exciting in dealing with a less than exciting problem. CCPA will likely evolve over time, fines will increase and customers will want accountability as breaches continue to happen.
Regulated firms have more options than ever before for meeting the compliance burden with the advent of AI/ML but they also need human resources in place to identify the solutions, implement them and guide privacy programs through this complex space.
Read our related article 10 Steps to designing the right data protection program
What should be in your data privacy awareness training?
Data privacy training requires coverage of several key topics to be compliant with GDPR. In this article we look at these core areas.
Tips on running a successful security awareness program
Companies face difficult challenges when training their staff on security. Find out how to build a successful security awareness training program.
Guide to Performing a Privacy Impact Assessment
Privacy impact assessments are required under GDPR Art.35 and US State privacy laws. Learn the steps required for a PIA and download our template.
CTDPA – What to expect with Connecticuts new Data Privacy Law
CTDPA comes into effect in July 2023 and introduces a series of changes for Connecticut businesses when handling customer personal data.
