Questions Swirl as California Department of Justice Prepares for CCPA

What is important to the business community with the advent of the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020?

At a recent California Consumer Privacy Act rulemaking workshop held by the California Department of Justice (DOJ), the constant refrain from attendees was for the California Attorney General to offer clarity and guidance on the anticipated impact of CCPA.

Several things became clear over the course of the day’s sessions. First, businesses need to think about compliance now and should not hang back.  High-level discussions about operationalizing CCPA should already be taking place within organizations.

Second, industry viewpoints are imperative to the rulemaking process because the California Department of Justice is still determining how the many business use cases that exist may make it difficult, or impossible, for industries to comply. Not knowing all of the possible and potential use cases could make it difficult or impossible for industries to comply.

As an example, businesses with gross annual revenues under $25 million will be exempt. Many start-ups that are in growth mode will not fall under the exemption.  Moreover, the “small business” exception will not apply if a company buys, receives, sells or shares, for commercial purposes, the personal information of 50,000 California residents in a year, nor will it apply if 50 percent or more of the company’s revenues come from selling personal information.

In order to get a better handle on how the CCPA will impact small businesses, the DOJ is currently soliciting feedback or similar use cases from small businesses.

Clarification and guidance were also discussed around Gramm-Leach-Bliley Act (GLBA) regulated entities. The Gramm-Leach-Bliley Act, also known as the Financial Modernization of 1999, is a federal law that requires financial institutions to explain how they share and protect their customer’s data.  The CCPA provides a carve-out for organizations regulated by the Gramm-Leach-Bliley Act, yet there are some ways in which the CCPA will impact GLBA-regulated entities.

First, the CCPA “applies to activities which fall outside the scope of the GLBA.”  Second, consumers can initiate private actions for damages against GLBA-regulated entities in the event of a breach of information, regardless of which act regulated the collection, processing, sale and disclosure of the information.

Questions from GLBA-regulated entities ranged from “What does it mean for an activity to fall outside the scope of the GLBA?” Or, “If GLBA does apply, does the private right go away because of the Supremacy Clause?”

Another hot topic is employee data.  As the law is written, employee data fits into the broad definition with consumers.  Industry viewpoints and use cases were discussed about employers sharing employee data with third-party vendors who develop artificial intelligence (AI) applications.  The AI may be sold, but how will the AI inferences consumed in the algorithms based on consumer data, when sold will the CCPA apply?

The definition of a sale and how it applies broadly for valuable consideration was also a point of contention during workshops.  Will the DOJ provide guidance and SAFE HARBOR for certain types of data sharing?

Other topics in a long list of others were the anti-discrimination requirement and its conflict with financial incentives, the “Do Not Sell My Data” notice requirement along with uniform opt-out, clarity on the consumer verification process and what is required from organizations before enforcement, valid defenses and how to respond to consumers.

Even though the CCPA is still subject to changes and variations, the deadline for determining the impact of the CCPA on your company is fast approaching. And, although the majority of the CCPA will not apply to GLBA-regulated entities, there are still significant implications financial institutions must consider and contemplate before it comes into effect in 2020.

Until further guidance and clarification is provided by the DOJ, the first step organizations should take is to conduct an inventory of the data collected to determine which data will be regulated by the CCPA, and revamp security to avoid breaches which could result in costly damages brought by California citizens.

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

Subscribe to Topics

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Load More