State of interdependence - why the CCPA isn’t just ‘GDPR-US’

When the California Consumer Privacy Act of 2018 (CCPA) was passed unanimously in June 2018, it was rushed through with the backing of more than 600,000 citizens – partly to prevent even tougher measures from going before the state Senate.

Facebook, Google, and a host of telecoms companies were among the corporate denizens of the state to speak out against the measures, and have devoted their efforts since then to attempting to water them down before they go live. But go-live date, January 2020, is now fast approaching.

The irony of California – home to Silicon Valley and much of the US software industry – being the first state out of 50 to stand up to the likes of Alphabet, Facebook, Amazon, Uber, and the rest, was not lost on commentators. Especially when The Valley has made such a significant contribution to California becoming the world’s fifth largest economy.

But the legislation was not a complete surprise. Since 1972, privacy has been an inalienable constitutional right of all Californians. Earlier this year, San Francisco banned the use of live facial recognition systems by police and security agencies. The ban also prohibits the use of data gathered by facial recognition systems. City supervisor Aaron Peskin said:

We have an outsize responsibility to regulate the excesses of technology precisely because they are headquartered here.

As a progressive, liberal, green-minded administration, it’s fair to say that California is currently not too popular with the White House - see early morning Presidential tweets passim.

Either way, the US now faces an intriguing dilemma: a federal data privacy law that weakens some of CCPA’s more onerous provisions – which some technology companies have called for – isn’t happening anytime soon. So CCPA could become a de facto solution, given the expense, inconvenience and – frankly – contradiction in terms of attempting to apply a piecemeal, state-by-state approach to digital business.

Coming, ready or not…

But it’s not a simple case of ‘tech versus citizens’. Not all technology companies have opposed the principle of introducing US data protection rules. Last year, implementation of Europe’s General Data Protection Regulation (GDPR) led to a slew of technology companies speaking out in support of regulation, albeit in the broadest terms.

Microsoft (again), Apple, Salesforce, and SugarCRM are among those who have issued written statements, opened portals, or made public comments about the need to protect consumer data, with Microsoft echoing California by describing privacy as a “fundamental right”.

The mood music in the industry was audible – change was coming – even if the exact melody might have been hard to pick out from the background noise back in May 2018.

So in 2020, will everyone be ready to sing the new tune? Not according to a new report from a company called Ethyca, which specialises in automated data privacy infrastructures. While Ethyca clearly has a vested interest in selling its compliance solutions, its research findings have some value.

Ethyca interviewed 85 US corporates across a range of verticals and found that 88% of them have yet to reach an adequate state of compliance ahead of CCPA’s implementation, with other US data privacy regulations perhaps set to follow.

More than 70% have “no engineering solution to policy compliance”, relying instead on “man-hours and retro-fitted processes” to do the work. Meanwhile, 38% of companies said they will need another 12 months before they are compliant, and 75% use a completely manual (as opposed to an automated or software-informed) solution for internal compliance tasks. So far, so predictable (and so on-message in Ethyca’s terms).

Of more interest are the company’s findings on where compliance sits as a function within US corporations: 38% allocate their compliance budget to the IT team, 12% to the security team, 25% between the legal and IT teams, and 25% have not assigned budget to any specific division at all.

Ethyca also found that most companies are largely focused on CCPA and GDPR, and have given little or no consideration to the many less-publicised data privacy laws in other parts of the world. Institutional myopia seems to be the order of the day. CEO of Ethyca Cillian Kieran says:

There’s a prevailing sense that organisations fall short of a state of privacy compliance. This shouldn’t be surprising. Regulatory compliance in any domain doesn’t happen the moment legislation comes into effect. Rather it’s a process that’s heavily influenced by the obstacles to adoption. But companies are running out of time to tackle these obstacles, with incidents of GDPR enforcement continuing to rise as citizens and regulators find their footing with the new legislation.”

He predicts:

The CCPA’s implementation in 2020 may follow a similar path with enforcement building slowly over an initial period, then reaching a more active maturity. The trend toward enforcement should be concerning for companies that have to work to do to reach a state of readiness for the regulations.

It all sounds very familiar. So how much could California and the US learn from Europe’s experience with GDPR – not to mention US companies’ experiences with the rules, which have seen a number of websites go dark to European readers? After all, the most visible result of GDPR has been some irritating tick boxes on websites – though British Airway’s publicly announced fine of £183.9 million ($236 million) back in June certainly got the media’s attention.

When Jonathan Bamford, Director of Strategic Policy at the UK’s Information Commissioner’s Office (ICO) addressed a Westminster eForum conference on GDPR back in January this year, he revealed some alarming findings. The most notable of these was that many UK organisations had no idea about the fundamentals of data protection until GDPR was introduced, despite having had legal obligations for two decades under the 1998 iteration of the Data Protection Act.  He said:

One of the most interesting things we’ve noticed is how many organisations woke up to data protection for the first time with GDPR. And a lot of the work we’ve had to do in terms of advice and complaints-handling has been on what I regard as core data protection issues. Not new things that have cropped up under GDPR, but data protection basics that organisations should have been on top of for a long, long time.

A lot of our effort hasn’t been on the minutiae of changes under GDPR or the Data Protection Act 2018, it’s been on core issues like subject access. A lot of the enquiries we’ve received have been about these data protection basics.

By January 2019 – eight months on from implementation of GDPR – there had been a 93% year-on-year increase in basic enquiries to the ICO, plus a 94% surge in the number of complaints: the ICO received some 43,000 breach notifications between May 2018 and the end of that year, about one-third of which would probably be upheld, he suggested.

Most of those complaints were about core privacy and protection issues. Complaints about subject access to personal data were up by 98%, while complaints about wrongful disclosure had increased by 131%. ‘Inappropriate security’ complaints had soared by as much as 179%, he added, while those about data retention (holding records for too long) were up by 81%. Lots for California to look forward to.

Also notable was Bamford’s comment that the ICO was still working through a backlog of cases brought under the 1998 Act, and his bone-dry observation that organisations were largely focused on GDPR and seemed unaware of the wider implications of the Data Protection Act 2018.

All of this suggests one thing: it took the combined might of 28 European nations to get some companies – and the general public – to even notice that data protection was a legal requirement, and had been since the dawn of e-commerce. Arguably, it took fines of four percent of global turnover (or €20 million) to finally ram the point home. By comparison, CCPA’s financial penalties seem unlikely to scare off serial infringers.

According to the Ethyca report, there’s no clear path to solving the “dissonant state of affairs” regarding data protection unless organisations commit to a deeper reassessment of their processes and protocols. To this end, it says, a dedicated privacy infrastructure may have the longest deployment and lead time, but will promote the highest level of compliance and the lowest amount of long-term friction. The report explains:

While the investment can prove a challenging sell to those outside the cut and thrust of daily privacy operations, we continue to believe that only through deep and meaningful structural change can businesses build a data operations for the coming decade and beyond.

Kerching!

Not just ‘GDPR-US’

Another report, from contextual marketing company Herow, is among the many lining up to point an accusing finger at the US as CCPA lurches into view, like a Senator at an impeachment hearing. However, the checklist-style document reminds us of an important legal point: the one thing CCPA actually isn’t - even if it’s a nice badge -  is ‘GDPR US’.

For example, GDPR protects all citizens who generate data within the EU, while CCPA merely affects consumers who are California residents. GDPR requires consumers to opt in to data collection, while CCPA only offers them the right to opt out.

More, GDPR affects all organisations of every size and type in every sector, whereas CCPA requires businesses to be a certain size or possess a certain amount of data before the rules can be enforced, with fines assessed on a per-violation basis. (CCPA affects for-profit companies with gross revenues of $25 million-plus and/or which process the data of 50,000 or more consumers, households, or devices, or earn more than half of their revenues from selling consumer data.)

GDPR confers a right for a data subject to delete their information regardless of where it came from, whereas CCPA only relates to data collected from, and about, the consumer.

Both offer a right to data portability. Under GDPR, organisations must transfer a data subject’s information to another data controller if requested, while CCPA requires that businesses divulge details related to data sales and processing activities over the previous 12 months. Under CCPA, companies should only offer consumers the information electronically and in a readily useable format.

GDPR mandates that parents must consent to anyone under the age of 16 having their data processed in an online environment, whereas CCPA enables anyone over 13 to consent on their own behalves. It also only addresses the sale of their data and insists on opt-in consent.

However, it is worth bearing in mind that all children are regarded as having a right to privacy and free association under Articles 13-17 of the UN Convention of the Rights of the Child, the single most widely adopted piece of legislation in the world.

My take

It’s fair to say that Europe has been in the vanguard of forcing data protection and privacy into the spotlight, as a handful of US corporations have become too powerful on the back of all of our data. As Roger Taylor, Chair of the UK’s Centre for Data Ethics and Innovation, observed recently, Californian algorithms have a disproportionate effect on how we all live, work, and consume media.

He told a recent Westminster eForum on AI policy:

We’re now in a situation where an algorithm decides ‘These are the next five videos that we recommend you watch’ or ‘These are the news stories we’re going to put in front of you today’ and it’s designed in California. The old mechanisms have simply gone.

“So the question for us as a society is, we could just say ‘We’ll go with the ‘California model’ as the future, but it is a question for us to decide. Because there is clearly now a difference from how we’ve done things in the past.

The irony, of course, is that a handful of Silicon Valley software corporations are the problem, not California itself. Out of all the US states, California understands the problem better than anyone.