The California data protection law domino effect

Register now

The General Data Protection Regulation deadline has come, gone, and (hopefully) been met, but don’t get rid of those privacy experts just yet.

While you were celebrating your GDPR compliance, California had its two-cents and raised the stakes. On June 28, 2018, the California Consumer Privacy Act of 2018 (CCPA) bill passed unanimously in the Assembly and Senate and was signed by Governor Brown just hours later.

When it comes to matters of technology, when California sneezes the rest of America catches cold. Undoubtedly, this new legislation will spur a domino-effect, being motivated, as it was, by growing concern among citizens about the misuse of their private information.

Headline-grabbing data breaches have become more frequent, but the Facebook Cambridge Analytica scandal was arguably the tipping point. This shocked the world and revealed to social media users just how much of their data-autonomy they have ceded to organizations that will sell their private information to the highest bidder as easily as they’ve sold their own souls to the devil.

So, like GDPR, this new law is both necessary and welcome (to private citizens, at any rate), and while it’s not yet finalized, whatever the final version looks like, it will be complex and far-reaching in its implications. Privacy experts will again have their work cut out for them as they study CCPA to devise a roadmap and action plan to meet the Jan. 1, 2020 deadline.

The Act in a Nutshell

In its essence, and as it currently stands, the new law either requires, prohibits, or permits the following:

  • It requires that a business disclose what type of data it collects, for what purpose and which, if any, third parties it shares that information with.
  • It requires that a business honor all verifiable consumer requests to delete their personal data.
  • It permits companies to offer consumers financial incentives for permission to collect their information.
  • It prohibits companies from retaliating financially against individuals who opt out of the sale of their information.
  • It requires of a company that it supply a copy of all information it holds on a consumer, to that individual, within 45 days of the request and in a universally readable format.

Email is Getting a Facelift

Let’s take a moment to ponder that last requirement. Of all the areas addressed by CCPA, this one has the potential to become most burdensome to those doing business with Californians. You’d better believe that there will be a slew of citizens demanding access to this information, if only to satisfy their curiosity as to how much “dirt” an organization has on them.

The challenge to organizations then, will be delivering that confidential information in its entirety, which may be frankly enormous and assuredly too large for conventional e-mail, in a manner that is both timely and secure, auditable and which comes with a proof of receipt.

Your run-of-the-mill email program can’t do it, yet the task is an ad hoc one. Also, companies can hardly ask individuals to comply with their demands to share encryption systems or protocols, and besides the law stipulates that the information be provided “in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.”

So, add the reinvention of enterprise email to that roadmap, because whether you opt for one of the existing and already compliant email encryption technologies (thank you GDPR), or wait for your email client to catch up, email is getting a facelift, and organizations are acquiring a significant new burden of compliance.

One Man’s Burden is Another’s Boon

Like GDPR before it, CCPA will be a burden to some and a boon to others. Those who stand to benefit are, of course, California consumers along with the keepers of the security and encryption kingdoms, privacy experts, and lawyers. Indeed, CCPA is likely to become a legal minefield and California legal firms will no doubt experience a bonanza of new business for some time to come.

For the enterprise, it will be a burden that requires a detailed and careful plan, while clear and well thought through actions, staff training, and communication will be necessary to help mitigate the risks, and great technology to help avoid costly mistakes.

So, get ready for CCPA and the domino-effect that is bound to follow. Consumers are taking back their privacy and putting tech companies and the legal profession to work.

For reprint and licensing requests for this article, click here.