Why the new California data privacy act is nothing to fear
November 07 2019
Those of us who work in data privacy know that this New Year’s Day will look different from the rest. That’s because when the Champagne is put away and the confetti clears Jan. 1, the California Consumer Privacy Act will go into effect.
Throughout the United States and across the globe, companies that do business with California are wringing their hands in worry. For companies that buy, sell or share the personal information of their consumers, the consequences could be dire.
Personal data is used for targeted ads. It helps for understanding buyers, setting price points and demographic outlooks, sharpening marketing strategy and optimizing your user experience. It’s a rampant practice, prevalent because it’s simply so effective.
Come the first of the year, however, there’s going to be a new sheriff in town, and the policing of how, when and why data is collected and shared will go into full effect overnight. Should old data storage methods be forgot? From where I sit, the answer is: Not so fast.
CCPA may seem like something radical — and for U.S.-based businesses, it is. Any for-profit organization that makes $25 million annually or taps a data trove of more than 50,000 consumers will be held to its regulations concerning data sharing and privacy, and the punishments for noncompliance are significant: penalties in the thousands of dollars and the potential for direct civic action through lawsuits.
And we shouldn’t view CCPA as an eccentric California fluke. New York is debating an even stricter law.
Predictably, there’s significant pushback from attention merchants like Facebook and Google — whose troves of non-consensually gathered behavioral and personal data fuel a $76 billion personal data economy in the U.S. alone.
But California and New York have the right idea. And that’s because it’s already been tested.
In 2016, the European Union passed the General Data Protection Regulation, which ushered in the most significant change in data privacy regulation in more than two decades. It made breach notification mandatory; expanded the rights of data subjects to include right to access information about whether or not data was being collected; and secured both the right to be forgotten and data portability.
Its institution has largely had the expected effect of reining in the consumer data free-for-all that the U.S. is still experiencing. As the CEO of a company with dual headquarters in the U.K. and the U.S., I admit that European regulations made me anxious. But thanks to a combination of planning, careful execution and long-term strategy, we made the transition just fine. Our next hurdle will be if and when Brexit shakes up our data privacy laws again. And in terms of CCPA, well, we’re ready.
Here’s what we learned the first time around that any company doing business should take to heart:
Companies need to accelerate their client strategies
It’s already November. The clock is ticking. If you don’t have a strategy to make your client data portable and secure, find it now — before the deadline strikes.
Data sovereignty can get confusing
There are so many issues when it comes to the matter of where personal data is stored. In the U.K., there is a massive debate related to how to handle personal information on U.K.-based services if and when Brexit goes through. In California, this will be less of a pressing issue, but because both businesses and consumers can occupy multiple headquarters and reside in multiple locations, all companies need to take a good hard look at issues of ownership and location when taking privacy measures into account.
Data portability is imperative
If you can’t move it, don’t store it. When sifting through massive data lakes to find personally identifiable information, the focus must always be on moving the data to a more protected environment. This should be the end game, always.
Loopholes need to be closed securely to avoid legal exploitation
If there’s one takeaway from GDPR that I like to pass on to my colleagues who are based only in the United States, it’s this: Laws with the best of intentions can be warped in the courts, and the European regulation is a prime example. As I write these words, there is litigation at play that exploits the basis of the General Data Protection Regulation to violate privacy in the name of justice. The CCPA will need to be examined closely and critically to ensure that similar loopholes in its own language are not exploited in the same way.