Expert Roundup: The California Consumer Privacy Act of 2018

The State of California has enacted a new law, the California Consumer Privacy Act of 2018, which offers residents of California privacy rights similar to those now available to residents of European Union (EU) under the General Data Protection Regulation GDPR. Highlights of the law, which is expected to take effect in January, 2020, include:

  • For consumers, the right to –
    • Request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.
    • Request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.
  • For businesses, requirements to –
    • Make disclosures about the information and the purposes for which it is used.
    • Provide this information in response to a verifiable consumer request.
    • Allow a consumer to opt out of the sale of personal information.

Other elements in the law range from authorizing businesses to offer financial incentives for collection of personal information to prohibiting a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized.

To understand what the Californian Consumer Privacy Act means to consumers, industry and the cybersecurity sector, we asked a number of experts in the field for comment. Frederik Mennes, senior manager market & security strategy at OneSpan, pointed out that the Act requires organizations to implement and maintain security controls appropriate to the nature of the personal data. He said, “Organizations should consider implementing multiple layers of security controls, such as data encryption, data anonymization as well as access control based on strong user authentication to meet this requirement.”

Data used to be like gold, but now it’s more like uranium, still very valuable but also highly radioactive.

The Act is not necessarily good news for business, according to Terry Ray, chief technology officer at Imperva. As he explained, “Someone said to me recently, that data used to be like gold, but now it’s more like uranium, still very valuable but also highly radioactive.” He added, “Some of the requirements outlined in CCPA should be easy to meet as long as IT and security teams have data security and data incident response programs already in place.  Sadly, there are plenty of organizations that have yet to fully implement either of those programs around data, and for some who have, they have likely only focused on current regulatory target data, like credit card data for PCI-DSS, healthcare data for HIPAA, or other specific data types where consumer private data is not generally included.”

Malibu, California

From Ray’s perspective, many large companies still have a long way to go in finishing the technical aspects of the EU’s GDPR. Now, California companies need to be ready for CCPA a year and a half later.  “It may seem a big demand on organizations, but in reality, it shouldn’t be,” he remarked. “Most global organizations have already built the framework for these same requirements to meet GDPR over the last few years, so there are plenty of materials, processes and products available to assist California companies with these similar requirements.   Whether it’s serendipitous or planned by California, following GDPR might have helped get organizations ready for CCPA.”

“It’s impossible not to think of this law as following on the heels of GDPR,” observed Matan Or-El, CEO and co-founder of Panorays. “The precedence of the GDPR demonstrates that such regulations, regardless of whether they will increase security and privacy in practice, have made lawmakers and consumers worldwide understand that such standards can be set. Furthermore, it is certainly likely that similar privacy regulations will be adopted by other states. We saw this in the past when California was the first state to publish their breach notification law and most states pursued with a similar law of their own.”

The precedence of the GDPR demonstrates that such regulations, regardless of whether they will increase security and privacy in practice, have made lawmakers and consumers worldwide understand that such standards can be set.

The Act comes as no surprise to Jonas Outlaw, senior product manager at Bomgar.  As he put it, “In a post-GDPR business landscape, similar US legislation is gaining traction. The information landscape has changed, with the growth of the ‘always on culture,’ driven by the ever-expanding capabilities of mobile devices, and the increase in the digital transformation of services, a wide range of identifiable and behavioral data is now collected and processed by organizations every time we interact online. At the same time, how and where organizations process this data has moved from inside the traditional IT perimeter and server rooms into hybrid and cloud environments in data centers across the globe.”

Outlaw shared that consumers today have more awareness into the collection and processing of their personal data. In turn, this makes makes security a critical piece to an organization’s data privacy strategy. Data privacy policies ensure they can control and protect access to the systems that hold personal data. He noted, “It’s also critical that companies today ensure all remote access methods are secure to protect their data as it continues to be a leading attack vector in cyberattacks.”

“The trend in data privacy is not your friend right now,” remarked Pravin Kothari, CEO, CipherCloud.
“In the wake of the newly enacted General Data Protection Regulation in the European Union that just went into effect in May, and in the shadow of the pending U.S. Cloud Act and the U.S. Encrypt Act, California’s new regulation sets the bar higher than ever before for U.S. companies. It is pretty clear that companies doing business in the U.S. will require the same data privacy controls and capabilities that multinationals need to do business in European Union require today. As always, “failure to protect the data” signals the same need GDPR has for end-to-end encryption, tokenization, and data residency.”

The trend in data privacy is not your friend right now

According to Kevin Bocek, VP of security strategy and threat intelligence at Venafi, there are several importance differences between the Act and GDPR that dilute its impact. “For example,” he said, “The fines and penalties for GDPR are much higher than this act and businesses don’t need to comply with it until they reach $25 million in revenue. There are no similar limits on revenue size in GDPR, it affects all businesses.” To Bocek, it’s not surprising the large tech companies like Google and Facebook opposed the bill. “Controlling the privacy and personal information that flows between machines is incredibly difficult, and a major challenge for all businesses,” he added.

None of this may work, said Willy Leichter, vice president of marketing at Virsec, who commented, “It’s very appealing to consumers that they can opt-out of marketing lists and have their data deleted, similar to the European ‘right to be forgotten.’ However, it’s hard to conceive of how this can effectively work. Doing any business online requires sharing data, where it inevitably gets shared, leaked, or shipped across borders. Good luck trying to opt-out and retrieve all your personal data when it’s littered around the globe.”

Photo Credit: szeke Flickr via Compfight cc