Ramifications of California's Consumer Privacy Act


Thought Leadership

Ramifications of California's Consumer Privacy Act

David Wagner

The General Data Protection Regulation may have been the first set of data protection and privacy regulations with sweeping requirements and global reach, but no one expected it to be the last. Keeping data safe from manipulation and exploitation is one of the most important issues of our day, and in many ways, GDPR was overdue. Not surprisingly, regulators outside the European Union are considering similar protections.
California recently passed AB 375, a state law that loosely mimics GDPR. As currently written, the law requires companies to disclose what data they're collecting on California residents, why, and with whom they're sharing the data. Consumers can also request to have data deleted and initiate civil proceedings if they feel their privacy has been violated.
This law was drafted in direct response to large-scale data breaches at outlets like Target and Equifax. And it was accelerated by the revelation that Facebook and Cambridge Analytica had exploited millions of social media users. Individuals are justifiably anxious about their personal data, so much so that even after AB 375 passed, a petition to put even stricter rules on the books collected more than 600,000 signatures.
The sentiment in California is not unique. More states, national governments, and international alliances are likely to require things like prompt disclosure and the right to be forgotten. This will force companies to reevaluate their relationships to data and their approaches to compliance. In the past, it may have been acceptable to leave small pools of data unsecure or go months before disclosing a breach. GDPR makes that impossible for many companies, and as the regulatory landscape expands, the burden will likely extend to all companies that handle personal data.


Moving Toward an International Standard

When GDPR first passed, there was debate about whether companies not subject to the rules should make efforts to comply. The consensus was that they should because GDPR would eventually evolve into an international standard. At some point soon, all companies will have to tightly regulate their data; they may as well begin now.
That advice looks appropriate considering the pace of new regulations. Legislators in New York state are debating a law similar to AB 375. Not only does the bill outline many of the same protections, but it also has the support of business and consumer organizations. Regardless of whether it passes in Albany, it illustrates the groundswell of momentum around data protection legislation.
That momentum is not limited to the U.S., either. Brazil is working on regulations directly modeled on GDPR. And, like the EU regulations, they would apply to almost any business that collects data on residents of Brazil.
Getting started early is also important considering the scope of the effort. Complying with these rules broadly while respecting all their local variances will be a huge undertaking. In addition to new processes and technologies, it will require a new culture around data that puts individual privacy first. Regardless of how companies feel about an international standard, it’s a disruption that needs to be on everyone’s radar.

Achieving Compliance across the Board

Managing compliance is becoming more difficult while noncompliance becomes an ever larger risk. Here are some strategies to help companies protect data and their bottom lines:
  • Account for All Data — GDPR treats all data breaches the same way, no matter how many records are released. Companies will need to secure every information channel, including email, in addition to the traditional focus on databases. Generally, it’s time to expand policies from the “most sensitive” data to a focus on all data and communication channels.
  • Prioritize Governance — Companies must plan to disclose data breaches just days after they happen. Meeting that timeline means identifying and quantifying an attack almost immediately. Clear data breach policies and data governance will be essential; otherwise, companies risk the embarrassment of a breach and the penalties of regulators at the same time.
  •  Think Beyond Compliance — Noncompliance is a risk, but it shouldn’t be what drives your data protection efforts. Trying to meet just the specific requirements of regulators inevitably leaves gaps and cracks in your strategy. A full evaluation of business processes and enterprise risks is required for compliance to be consistent and manageable.
  •  Seize the Advantage — Consumers want to work with companies that are transparent about how they use data, as well as those that are committed to protecting individual rights. Complying with new data regulations can be a competitive advantage, and treating compliance like an opportunity instead of a risk makes it easier to gain enterprisewide commitment.
We know that more data protection rules are coming, but how they will overlap, interact, and conflict remains to be seen. Companies can wait until the details are worked out and then calculate their exact regulatory obligations. But by then, they will be far behind the curve and will face the likelihood of fines, fees, bad publicity, and lost customers. Until we have a true international standard, companies should consider operating like one already exists.