California Consumer Privacy Act: SEC.2 (h), an introductory statement giving context to the new privacy law:
“In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica. A series of congressional hearings highlighted that our personal information may be vulnerable to misuse when shared on the internet. As a result, our desire for privacy controls and transparency in data practices is heightened”
If you have taken the time to watch The Great Hack (2019) on Netflix, chances are you’re among those who believe privacy is a basic human right, and you likely would argue that organizations like Facebook and Cambridge Analytica have grossly violated that right for millions of American citizens. The broader issue at hand here, however, is not whether you agree with the above statement issued and passed by the California State Legislature, or even what you think about Mark Zuckerburg. The real topic to consider is why we have the CCPA, what it really means in the ongoing debate about privacy, and what wise businesses are doing about it.
Understanding the History of Privacy
Privacy laws aren’t born in a vacuum. They are usually the result of a great impetus, and may be preceded by a formal recognition of the right to privacy as a human right. 70 years before the passing of the General Data Protection Regulation in Europe, for example, personal privacy and one’s right to protect that information was formally acknowledged as a fundamental human right in the Universal Declaration of Human Rights (1948). The UDHR was approved by the United Nations as a response to atrocities committed by the Nazi Party during and leading up to WWII, when personal data detailing ethnicity, religion, family records, etc. was gathered and used to catalogue people living in its existing and targeted territories, in order to launch an all-out genocidal campaign. In the years since the UDHR was passed, subsequent European declarations, conventions, laws, and acts have continued to refine and flesh out various rules around the collection, sharing, storage, and use of personal data with increasing rigor. With the passing of each new law, the EU seemed to take another measured step towards providing the legal framework that would be necessary for any regulation on privacy data that can have teeth–leading us to the current regulatory structure and massive fees associated with violation of the GDPR. In contrast to what many in the US saw as a sudden and harsh rule set with unrealistic penalties, the GDPR is the result of a slow, intentional, and inclusive legal evolution.
Not unlike the GDPR, the CCPA also references an earlier establishment of privacy as a right. Section 2(a) of the CCPA reads, “In 1972, California voters amended the California Constitution to include the right of privacy among the ‘inalienable’ rights of all people. The amendment established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.” The historical similarities break down, however, in the fact that California as a state has not seen the kind of death and destruction that European regions have endured on their own soil, leading one to wonder what kinds of gross violations it will take to push US lawmakers over the edge. Facebook, Google, and numerous other digital giants are headquartered in California, so it’s no surprise that lawmakers in this state sought to join other states across the US who legislate the collection and use of personal/consumer data, but clearly they are not ready to go very far with enforcement yet. Companies below the $25m gross revenue or who annually leverage (buy, sell, use, profit from, etc.) less than 50K consumer records can essentially continue their existing practices, for example. In combination, that represents a great many organizations who don’t legally have to make a lot of changes. The question is, how far will lawmakers go with fines, oversight, enforcement in the future? What events will tip the scale? It’s hard to know, exactly, which means we should be prepared for just about anything.
Current Corporate Attitudes About Privacy
Some (not all, to be sure) small and mid-level sized US companies who don’t engage in EU commerce–therefore sidestepping both GDPR and CCPA requirements–seem to be hoping US privacy laws will just dissipate. In private, many execs at these companies might even tell you over a glass of wine that if it comes down to it, they will absolutely fight for their right to collect, store, and monetize whatever consumer data they choose–especially for marketing campaigns. This is not an illegal approach and is fully within their rights. Further, if these organizations handle consumer data responsibly, follow all current federal consumer protection laws, and use risk mitigation techniques to address those areas of data management where the practices of privacy and data security overlap, organizations still buying or selling consumer lists are not violating any laws in how they handle personal data. It’s not about violation, however. This conversation is more about understanding the nature of the movement at-hand and anticipating the direction that privacy and security laws are headed in the future, as a result of our unique cultural and historical contexts.
Paying Attention to the Trends
Wiser organizations are concerned less about violating one law or another, but instead work from a global understanding of what can be termed theprivacy trend. These are the CIOs who have been paying attention to history and have been listening to thought leaders like John Ladley (author, Making Enterprise Information Management Work for Business). For years, Ladley and his counterparts have been banging the gong for US businesses with the message that master data management (MDM) is non-optional for anyone who wants to succeed with how they collect and leverage data to enable business. While he makes a very sound business case for how one organizes data and its use, Ladley’s contemporaries at research and advisory firms like Gartner correlate this concept with the privacy and security laws around the globe, drawing one conclusion. These voices continue to tout the single, simple principle that will serve all business everywhere: know what data you have and where it lives. From there, you can always pivot however needed. If you are doing what it takes to streamline, scrub, eliminate excess instances, and minimize your use of customer data, doing only what is necessary for each business case, you will be in the best possible position if a compliance requirement is suddenly passed. You won’t be mired with overwhelming administrative and organization tasks if you need to do a particular thing with a particular dataset. (It’s fairly difficult to secure, protect, or minimize use of a dataset if you don’t know everyplace it may live or how it’s being used.)
Organize Yourself Now to Save Yourself Later
Section 1798.130 makes the value of MDM/EIM very clear for those who currently fall under compliance requirements. As detailed earlier, in 1798.115, consumer has the right to request that a business who has sold their personal information, or disclosed it at all for a business purpose, tell them exactly what categories of information were collected, and every third party to whom it was sold.
1798.130.(4(C)) dictates that in those cases, they must:
Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).
How, exactly, does one comply with this process if they don’t even know all of the places a particular consumer’s personal information may live, much less with whom they shared it for a business purpose? The very process of EIM requires data to be categorized and organized by business purpose. Forget the fact that this is best practice for getting the most out of your data for business enablement, and forget the fact that it will help you make a stronger case to your board for budget line items that will help protect and secure particular datasets to prevent a crippling breach. Let’s just focus, for now, on the fact that this exercise will help you quickly and more simply comply with laws like the CCPA if and when their reach extends to your organization in the future. Does anyone really want to get caught in a situation where they have to scramble at the last minute to find, organize, clean, and simplify their data and data practices internally, spending countless dollars and personnel hours that could have been metered out incrementally in the months or years beforehand? If you watched companies panic and cut into their reserves preparing for the GDPR’s go-live date, you get it.
In short, we really don’t know what political goings-on will suddenly tip the scales of US public opinion, driving new and more robust regulations. One thing is certain, however– the companies who will be caught the most off-guard will be those who still haven’t taken the steps necessary to organize themselves and clean up their data. From that, we can conclude that the conversation isn’t over, and privacy is an evolving concept, so we should work from the standpoint of preparedness.