A CISO’s Perspective on Data Governance, the CCPA, and the Future of Privacy
The CCPA is the first major US privacy legislation to be enforced in the wake of the GDPR. Tell us about what the CCPA means for businesses from a high level?
The largest challenge for organizations addressing the CCPA, or any other privacy regulation, is that they will need to assess data governance practices (e.g., data classification, data handling, data protection) and determine whether they are under tooled or inadequately documented. Organizations need to know what type of information they collect, how it is used internally, and with whom they share this information, so they have the adequate procedures in place. This will ensure the consumer is appropriately engaged in the process beginning with the privacy notice, how they manage consent, and the broader privacy lifecycle.
Too frequently, there are important disconnects between stakeholders within the organization. Sales and marketing don’t typically communicate with privacy or security teams, and this lack of coordination exposes the organization to legal, privacy, and security risks.
Like security, privacy is a multi-disciplinary domain that requires the input and collaboration among stakeholders, and most importantly the consumer—their consent should be integral to the entire process.
When organizations ignore the consumer in the process, they frequently delve into the realm of ‘unfair and deceptive’ trade practices that result in the Federal Trade Commission (FTC) invoking consent orders against the firm. These typically result in 20-year bi-annual audits of the organization’s privacy and security practices. No firm willingly wants that level of government oversight.
One of the biggest criticisms of regulations like the CCPA is that it hinders innovation. What’s your perspective here?
I’m a contrarian in this regard. Good regulation—meaning regulation that protects privacy and security—drives innovation. Just look at the security space. We’ve seen massive improvements with respect to security architecture in the last few years with tools that help with automated data discovery, classification, and protection (including tokenization, pseudonymization, format protecting encryption), privacy management tools, deception to understand adversarial behavior, and security orchestration automation and response (SOAR) tools that automate security functions.
As a case in point, Delphix’s DataOps platform highlights important privacy-protecting and security enhancing innovation that is perfectly suited to address the requirements of regulations such as the GDPR or the CCPA. These capabilities will become requisite features for privacy and security services architectures moving forward. If an organization collects personal and sensitive data, in all their respective guises, then tokenization, data masking and pseudonymisation will become the norm. Doing this at scale and with minimal impact to operations are capabilities that exist today and should be widely employed..
I believe that good regulation—emphasis on good here—drives innovation. What’s important, however, is that we don’t create a regulatory bar so high that smaller organizations cannot enter markets given the inherent cost of doing business. That would be a market failure. My concern is that too many smaller and medium-sized businesses that are integral to our economy are limited in their ability to implement appropriate privacy and security programs.
Businesses that have undertaken GDPR compliance will have an advantage in addressing the CCPA, but those efforts alone won’t suffice. How does the CCPA differ or go beyond the scope of GDPR?
The CCPA and the GDPR are similar, but there are important differences that security and data governance leaders should be aware of as they oversee their security and privacy programs.
The European Union’s General Data Protection Regulation (GDPR) is pervasive in scope and has important impacts on privacy and security—indeed Article 25 requires ‘data protection by design and by default’—for organizations both within the EU as well those that market to data subjects (aka residents within the EU).
Most notably, the California Consumer Privacy Act (CCPA) is specific to a single state, California, versus an economic union—most of Europe with the ongoing odd case of England, encompassing more than 20 European countries. The economic impacts of the GDPR are certainly more widespread, and the EU has been focused on privacy well before the adoption of the GDPR. The 1995 Data Protection Directive laid the foundation for the GDPR and similarly had expansive impacts on privacy practices throughout the EU and arguably the rest of the world.
Privacy is also a right in Europe. Article 1 of the GDPR outlines the ‘fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data,’ and data subjects must provide their consent (e.g., opt in) prior to having their information collected. The U.S. constitution does not explicitly call out privacy, and generally speaking, U.S. privacy practices—until recently—have placed the burden on the consumer to ‘opt out’ when their information is collected against the consumer’s preferences. Unlike the U.S. constitution, California’s constitution does provide a right to privacy.
Both the GDPR and the CCPA establish important privacy rights for data subjects. Chapter III of the GDPR outlines a number of important privacy rights including the now famous ‘right to be forgotten,’ which is technically noted as the ‘right to erasure’ (Article 17). Other rights include the ‘right to access’ (Article 15) and the ‘right to rectification’ (Article 16). These privacy rights have important analogs in both the CCPA as well as other sector-specific regulations, such as HIPAA where consumers have a right to access their health records. Consumers here in the U.S., as another example, have the right to review credit reports annually and to request that inaccurate information be corrected by the credit reporting agencies.
The CCPA expands privacy rights to include a requirement that businesses clearly notify the consumer what specific data elements or categories of information are being collected about them, and whether this information is being sold to third parties. Importantly, consumers can preclude their information from being sold to third parties, and when they exercise this right or the others established within the CCPA, the consumer should not face any discrimination from the business for having exercised their privacy rights. Like the GDPR, the CCPA establishes an expectation for ‘reasonable’ security over the personal information collected (1798.150).
Ultimately, both the CCPA and the GDPR have driven fundamental change to how organizations think about their data governance practices and have made the topics of privacy and security appear frequently on executive and board agendas. In this spirit, the CCPA and the GDPR have been effective at raising the awareness of how organizations collect, store and share sensitive data about consumers (aka data subjects).
Looking ahead, what is your expectation for how the regulatory and compliance landscape will evolve?
Presently, all 50 U.S. states have breach notification laws. Many states are now also drafting their own privacy laws. A case in point is Washington state’s privacy law (SB 6281) that would have been similar in tone to both the GDPR and the CCPA. But it did not pass through the state’s legislature. Washington state did pass SB 6280, which is notable for addressing appropriate uses and disclosure of facial recognition applications. Vermont also enacted a privacy regulation in 2018 that requires disclosures by data brokers.
Unfortunately, and unlike our neighbors in both Canada and Mexico, the U.S. will likely continue with a complicated patchwork of state-specific privacy requirements. Federal privacy regulation doesn’t not seem to be a priority given the current political climate in D.C. Even if we do have a federal privacy law, it’s more than likely going to be unduly influenced by industry and not consumers, given Citizens United and the lobbying that’s so prevalent in our Capital. What will likely be the status quo for the next several years will be that larger, multi-national organizations will broadly follow the requirements established in the GDPR.
When I was a research director at Gartner, I covered privacy and specifically the GDPR, and that was certainly the approach many Gartner clients conveyed. I also foresee that California will continue to establish privacy precedent for many other states, so organizations would be well-served to have a solid working knowledge of both the GDPR and the CCPA. In that vein, organizations will be able to validate their processes for handling requests from consumers (subject access requests or data subject access requests) and how they validate consumer identities when these requests occur. Too frequently, these procedures, while well understood by counsel, are never adequately communicated to front-line employees.
What's your best piece of advice for business leaders looking to tackle compliance—especially for those who will need to make a significant investment?
First and foremost, organizations need to read the CCPA and the proposed regulations offered by the California Attorney General. Unlike the GDPR (which is over 250 pages), the CCPA is relatively short (less than 50 pages). I think too few companies actually understand and read the regulations that apply to their organization.
Critically, organizations should take a data-centric view of compliance—one that is biased toward protecting the consumer’s rights in both the collection and processing of their information. There are fantastic applications and tools available that will help with the technical side of privacy and data protection. Complement these tools by having a strong advocate for the consumer when thinking about business practices that involve the collection of personal data.
Organizations focused on making their relationship with the consumer transparent engender trust and build goodwill.
As a consumer, these are the companies that I want to give my business to. I’d also invite data governance and security leaders to read Recital 39 of the GDPR. It’s just a page in length but sets the tone for privacy expectations not only in Europe but globally. Lastly, map data—data flows are a beautiful thing!