Technology Insights HOME | Perspectives on Technology Trends

Technology Insights HOME

Perspectives on Technology Trends

Search

ARTICLE

3 mins to read

Questions Swirl as California Department of Justice Prepares for CCPA

Views
Larger Font
3 minutes to read

What is important to the business community with the advent of the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020?

At a recent California Consumer Privacy Act rulemaking workshop held by the California Department of Justice (DOJ), the constant refrain from attendees was for the California Attorney General to offer clarity and guidance on the anticipated impact of CCPA.

Several things became clear over the course of the day’s sessions. First, businesses need to think about compliance now and should not hang back.  High-level discussions about operationalizing CCPA should already be taking place within organizations.

Second, industry viewpoints are imperative to the rulemaking process because the California Department of Justice is still determining how the many business use cases that exist may make it difficult, or impossible, for industries to comply. Not knowing all of the possible and potential use cases could make it difficult or impossible for industries to comply.

As an example, businesses with gross annual revenues under $25 million will be exempt. Many start-ups that are in growth mode will not fall under the exemption.  Moreover, the “small business” exception will not apply if a company buys, receives, sells or shares, for commercial purposes, the personal information of 50,000 California residents in a year, nor will it apply if 50 percent or more of the company’s revenues come from selling personal information.

In order to get a better handle on how the CCPA will impact small businesses, the DOJ is currently soliciting feedback or similar use cases from small businesses.

Clarification and guidance were also discussed around Gramm-Leach-Bliley Act (GLBA) regulated entities. The Gramm-Leach-Bliley Act, also known as the Financial Modernization of 1999, is a federal law that requires financial institutions to explain how they share and protect their customer’s data.  The CCPA provides a carve-out for organizations regulated by the Gramm-Leach-Bliley Act, yet there are some ways in which the CCPA will impact GLBA-regulated entities.

First, the CCPA “applies to activities which fall outside the scope of the GLBA.”  Second, consumers can initiate private actions for damages against GLBA-regulated entities in the event of a breach of information, regardless of which act regulated the collection, processing, sale and disclosure of the information.

Questions from GLBA-regulated entities ranged from “What does it mean for an activity to fall outside the scope of the GLBA?” Or, “If GLBA does apply, does the private right go away because of the Supremacy Clause?”

Another hot topic is employee data.  As the law is written, employee data fits into the broad definition with consumers.  Industry viewpoints and use cases were discussed about employers sharing employee data with third-party vendors who develop artificial intelligence (AI) applications.  The AI may be sold, but how will the AI inferences consumed in the algorithms based on consumer data, when sold will the CCPA apply?

The definition of a sale and how it applies broadly for valuable consideration was also a point of contention during workshops.  Will the DOJ provide guidance and SAFE HARBOR for certain types of data sharing?

Other topics in a long list of others were the anti-discrimination requirement and its conflict with financial incentives, the “Do Not Sell My Data” notice requirement along with uniform opt-out, clarity on the consumer verification process and what is required from organizations before enforcement, valid defenses and how to respond to consumers.

Even though the CCPA is still subject to changes and variations, the deadline for determining the impact of the CCPA on your company is fast approaching. And, although the majority of the CCPA will not apply to GLBA-regulated entities, there are still significant implications financial institutions must consider and contemplate before it comes into effect in 2020.

Until further guidance and clarification is provided by the DOJ, the first step organizations should take is to conduct an inventory of the data collected to determine which data will be regulated by the CCPA, and revamp security to avoid breaches which could result in costly damages brought by California citizens.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to the Tech Insights Blog

Stay on top of the latest technology trends to keep your business ahead of the pack.

In this Article

Find a similar article by topics

Authors

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

For project managers, managing risks and issues is akin to steering a ship through the open ocean. There are moments...

Article

What is it about

According to the annual Sonatype State of the Software Supply Chain Report, open source software (OSS) consumption is growing at...

Article

What is it about

If the year 2020 taught us anything, it was to expect the unexpected. During this unique time, we saw companies...