The National Impact of CCPA

For a preview of future privacy law in the United States, keep a close eye on The Golden State. On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. When the CCPA passed, industry observers considered it a landmark piece of consumer privacy rights legislation, as it requires certain businesses to disclose whatever personal data they have about a consumer whenever that person requests it. 

California voters raised the stakes in November 2020 by passing the California Privacy Rights Acts (CPRA), which extends the CCPA’s scope and gives it new enforcement bite. Under CPRA, which takes effect January 1, 2023, the newly created California Privacy Protection Agency (CalPPA) can enforce the CCPA through steps such as auditing businesses’ privacy practices and ordering regular risk assessments as deemed necessary (a deep dive into all of the CPRA’s implications). 

So how will this impact the rest of the country? For one, California is not the only state to enact this sort of legislation. According to CNET, Nevada and Maine have already passed similar legislation and 11 other states are also considering privacy bills. California’s pioneering laws will certainly help shape what other states do (a quick reference to where privacy legislation stands in each state). 

Plus, some of the businesses complying with the CCPA are offering the same privacy rights to ALL U.S. customers, not just those living in the Golden State. That means if you live in Iowa and want to know what a California business has on file about you, you may be able to find out and request it be removed from their servers. 

New Rights for Consumers: 

While much remains unclear about the California law’s exact impact on business, it does set certain rights in place for consumers’ data: 

• Knowing what personal information is collected, used, shared or sold. The CPRA now requires that this information be shared with consumers “at or before the point of collection.” 
• Having the right to delete personal information held by businesses, and by extension business’ service providers. The CPRA extends this requirement to require companies to share the deletion request with anyone they have shared the information with. 
• Exercising the right to opt-out of sale of personal information. (Children under 16 must provide opt-in consent. Children under 13 need parental or guardian consent.) Consumers can also prohibit the “sharing” of their information in scenarios such as one company giving it to another company for advertising usage, even if no money changes hands for the information. 
• Having the right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA. 
• Having the right to correct inaccurate personal information. 

How CCPA Compares to GDPR 

While this new push for privacy may seem progressive to Americans, it’s been a part of European business practices for two years now and in a more aggressive way. The General Data Protection Regulation (GDPR) went into effect in 2018. The goal of the GDPR is to give individuals control over their own personal data. EU, EEA, and UK residents now have access to and can correct, delete, and export personal information. The GDPR also has more privacy controls in place, and much steeper fines and penalties for those who don’t comply. 

These provisions apply to almost all organizations that collect data from EU, EEA, and UK individuals. That includes small businesses, non-profits, non-technology companies, and organizations operating outside of Europe. 

The GDPR is also designed to make following regulations easier to comply with for groups working internationally. Under these parameters, organizations only have one set of privacy laws to understand and abide by, rather than a new set of laws for each country within the region. 

Federal Privacy Law Potential 

We may see this sort of universal legislation in the United States in the near future. With more states creating their own guidelines, there is talk of new, federal privacy legislation. 

This possibility of federal privacy laws resembling the CCPA or GDRP is growing. Several senators have worked together to propose bills like the SAFE DATA act, which place stricter limitations on algorithmic decision-making, biometric data, and data minimization. 

The move toward federal legislation has been reassuring to some businesses already following CCPA. The concern is that each state will enact their own privacy laws, making it difficult for companies to keep up with so many different sets of rules. However, it’s worth noting that even though federal law supersedes state law, some federal laws allow states to enact tougher requirements on top of the federal regulations. 

Concerns Over Privacy Legislation 

As with any significant change, there are concerns over the stricter privacy laws. One case out of Germany shows why they may be justified. An Amazon Alexa user requested all of his audio files the device had picked up. Instead, he was given 1,700 audio files from the wrong home. Amazon blamed the mistake on “human error” and said it was an isolated incident. 

That’s just one example of how requesting a legitimate customer’s private data could also be acquired by the wrong person. However, even when businesses try to avoid this sort of mistake, the possibility of critical information getting into the hands of a criminal is there. That’s why some California businesses are now setting stricter guidelines for customers wanting to access their own data. 

A New York Times article outlines a recent situation in which a business trying to comply with CCPA hired a third-party vendor to handle the influx of customer information requests. The vendor started verifying these requests by asking customers to supply more identification. This was typically done by asking for images of customers’ driver’s licenses and even additional photos of customers’ smiling. In short, the business wanted more private data to release the customer’s private data. It appears to be a cybersecurity cycle that organizations are still trying to figure out.  

What You Can Do 

With so much new legislation, businesses could use early compliance as an advantage. Using the time and resources needed to become CCPA or GDPR compliant could put you a step above the competition. Touting an emphasis on privacy is appealing to many consumers (an overview of how privacy laws impact businesses and compare to overall security). 

Even if you’re not interested in giving your business a boost with proactive privacy, you should start considering what compliance will look like for your organization. Companies should accept the fact that privacy rights are a growing concern and new legislation will be coming. 

Here are a few steps your business should be taking now to get ready: 

1. Designate a privacy officer, someone in charge of organizing the process to become compliant.
2. Be externally compliant. Update your privacy notice on your company website.
3. Think about data inventory. Know where information is located within your system.
4. Figure out how you will be able to obtain and report customer information when requested.
5. Decide on a verification process to ensure the data your giving out is to the correct person.

Figuring this all out may not be easy, but getting to work on it early could save you a lot of issues and headaches later. Regardless of whether it’s CCPA or another piece of legislation, this is something many businesses will need to respond to. It’s up to each company to decide if they want to be proactive or reactive. 

If you need help with objectives like inventory, security controls, process recommendations, or who to reach out to for legal compliance, HBS representatives work with national and international businesses every day. An HBS cybersecurity expert would be happy to help guide you through the privacy legislation process. For assistance, please contact us today.