CCPA: Nine Months In

Ron Lear
Author: Ron Lear, Vice President, Frameworks and Models, CMMI Content Development & Services
Date Published: 11 September 2020

Protecting consumer data privacy has been a critical issue for years, but California was the first US state to actually enact a law. Although the California Consumer Privacy Act (CCPA) was signed into law in 2018, it has only been in effect for about nine months. To get an insider’s perspective on what has transpired in this short time, I talked with The Privacy Professor consultancy CEO, Rebecca Herold, CISA, CISM, CISSP, CIPP, CIPM, CIPT, FIP. Here are her responses to our questions:

RL: Now that CCPA has been in force for a little over half a year, what are your thoughts on its effectiveness?
RH: Based on recent news, there is more confusion now about CCPA than ever before. In addition to the confusion, many organizations are taking it upon themselves to interpret the CCPA requirements in ways that provide the most benefit to the organization, taking advantage of vaguely written requirements and missing specifics, so the benefits of the spirit of the law are not realized by consumers.

On the positive side, there has been a noted increase in organizations being aware of the need to address customer privacy, as well as the general public being aware of the need for businesses to provide privacy protections.  That said, some organizations have implemented comprehensive privacy programs to be in compliance with CCPA. Others are waiting to see if California regulators will actually apply fines or penalties. Such waiting is often with the intent of doing only the actions for which other businesses have been fined or penalized.

RL: Have there been any surprise outcomes of CCPA? If so, what are they?
RH: The early surprise is that within two-and-a-half months after going into effect, California lawmakers were already proposing significant changes to the law. I can’t remember when in the past any significant changes were proposed so quickly after a privacy law was put into effect. They seem to be basing these changes on how the law is impacting organizations and consumers, and are trying to address the causes of confusion and the areas where requirements may not be as feasible in practice as they were intended to be with the original wording. Notably:

  • Accessibility standards are confusing to many and not feasible for others. Proposed changes address these ambiguities and provide clarification for acceptable accessibility methods.
  • Additional requirements and explanations of notifications to third parties and annual reporting requirements begin July 1, 2020 and continue on July 1 of each calendar year.
  • There are clarifications, new affirmative authorization and reasonable security requirements.
  • Clarifications are suggested for data broker registration and notice requirements.
  • Deadlines triggered by receipt of a consumer request were explicitly labeled as “business days” or “calendar days,” as applicable.
  • New examples, clarification and expansion of the terms are recommended for specific requirements for mobile applications and offline collection of data, as well as how to calculate and communicate the value of data to consumers.

Other surprise outcomes relate to the breadth of impact to businesses. The law was expected to improve privacy rights of consumers with large tech companies—however, it impacts companies of all sizes. Many small to mid-sized businesses are trying to meet CCPA requirements, but find themselves violating other laws, such as those requiring that certain types of personal data be retained for a minimum period of time. In addition, there is some confusion as to how CCPA applies to gig businesses that contract, but do not employ, workers.

RL: How does CCPA compare to the EU’s General Data Protection Regulation 2016/679 (GDPR)?
RH: At a high level, CCPA seems very similar to GDPR, but there are key differences. Not only does CCPA apply to the consumers in just one US state, but the scope of personal data and the types of individuals covered is much narrower. More specifically:

  • Both CCPA and GDPR protect only living individuals and do not cover legal persons (e.g., a business entity, or government).
  • GDPR’s personal data definition includes explicitly referring to individuals. It is widely inclusive and does not exclude specific categories of personal data. Whereas CCPA’s personal data definition includes information relating to households in addition to information related to individuals, but specifically excludes a wide range of personal data categories.
  • Other differences include how GDPR and CCPA cover children’s data, “special categories” of personal data, pseudonym-related data and research data. Additionally, GDPR requires a legal basis for processing personal data, where CCPA does not.

RL: Do you think CCPA will inspire other US states to do something similar? Should it?
RH: Other states will follow suit—the only ones that won’t will be those that haven’t enacted a similar law before a Federal law is put in place. Keep in mind that California’s breach notice law was the first in the US when it went into effect in 2003. Now there are 54 US state and territory breach notice laws, plus Federal and industry-specific breach notice laws. History demonstrates that as goes California privacy law actions, generally so goes the other states, at least eventually.

RL: Is this the most effective approach to starting to partially put the "privacy genie back into the Internet bottle"? Or is it impossible to "uncrack the privacy egg"?
RH: This is very subjective. There need to be both laws and organizational responsibility for addressing risks that are not covered by laws and regulations. It is never too late to try to improve privacy protections, just as history demonstrates fire codes, speed limits and food safety requirements improve consumers’ well-being.

RL: There are plans to put a revised law on the ballot in California in November 2020—the Privacy Rights & Enforcement Act of 2020 (or CCPA 2.0). It seems to recognize that CCPA was a good first step, but that additional guidance is needed. What are your thoughts on this? 
RH: The California Privacy Rights Act (CPRA) received more than enough signatures, so will appear on the November 2020 ballot. It goes beyond providing more guidance to significantly expanding what CCPA established. For example, the CPRA, if passed, would go into effect on January 1, 2023. It would allow for and establish a wide range of additional rights and privacy oversight. For example, establishing the California Privacy Protection Agency, requiring businesses to establish contracts with all third parties to whom the business shares personal information, and removing the CCPA’s 30-day period to “cure” a breach, impose a variety of GDPR-styled obligations on covered businesses, in addition to an assortment of other requirements. The decisions made in the coming few months on the two proposed sets of updates to CCPA will be an influencing factor to the outcome of the results in November.
 
RL: Thanks to Rebecca for sharing her expertise and insights!

Data privacy is a key priority for ISACA, from our new Certified Data Privacy Solutions Engineer (CDPSE) credential, to ISACA’s CMMI Data Management Maturity (DMM) model, which has helped organizations worldwide develop a customized, strategic approach to help ensure consumer data privacy and make data more secure.

We are watching regulations like CCPA closely and continuing to provide you with the resources, credentials, models and guidance you need to improve data privacy in your organization and industry.