California’s new data privacy law went into effect Jan. 1, 2020, but the date is largely symbolic. Companies should already have a data management plan in place by now, as certain provisions within the new law call for companies to be able to provide data going back 12 months, and California’s attorney general has stated that full enforcement will not be likely until after July 2020.
Since the California Consumer Privacy Act of 2018 (AB 375) was passed in the summer of 2018, companies, interest groups, consumers and government actors have been discussing what the law actually does and how it will be enforced. Several amendments were passed in September 2019, putting to rest a host of questions, but despite this and several public discussion forums, companies’ interpretations of the law and how to comply with it widely differ.
The problem with nonstandard application of the law rests on both sides. The law itself grants the courts and the attorney general broad freedoms to enforce it as they see fit, and several provisions within the law will be clarified through enforcement actions. The law grants consumers the right to request their personal data be deleted, for example, but also grants companies several exemptions to this clause, including a variety of business purposes that provide ample wiggle room.
This means companies are currently complying as far as they feel they need to. Facebook, Inc. is punting compliance off to its many vendors, claiming it merely provides access to users’ data through its targeted advertising service; and Evite has taken an aggressive approach to compliance by giving users information and quick access to choices on how their data is collected and shared.
Read the law, talk to IT
This bill grants Californians the right:
To know what personal information is being collected about them.
To know whether their personal information is sold or disclosed and to whom.
To say no to the sale of personal information.
To access their personal information.
To equal service and price, even if they exercise their privacy rights.
The full text, as amended, of the California Consumer Privacy Act of 2018 is available online. It is not a long document and includes a list of definitions that help to clarify several misconceptions. The regulatory burden is not enormous, the fines are reasonable and easily avoided, and the consumer’s right to file a lawsuit is limited. It is not hard to understand the five basic rights granted to Californians under this law and why those rights are important in the digital age.
The real burden is the cost of gaining control over data flows. For-profit organizations doing business in the U.S. have enjoyed more or less free rein with personal data, which, together with powerful data mining and collection tools, has led to petabytes of personal data being stored, managed and analyzed on servers and then shared into a more or less unregulated third-party ecosystem. Companies are now being asked to meticulously map those flows and be able to reproduce them when asked, within a certain time frame.
This quote from a CSO article hints at the challenge:
“Most file search tools lack the ability to search across the modern file repository ecosystems so prevalent today,” says Aaron Ganek, CEO of Cloudtenna. “Cross-silo file management is a major challenge. It is difficult to understand context for each file if they are scattered inside different repositories." Plus, compliance issues are associated with pulling together data, he says. "Legacy enterprise tools struggle to observe the disparate permissions and security models, violating the very laws and regulations they’re being used to satisfy.”
As we have discussed before in regard to data transparency and the role of artificial intelligence in supply chains, the real challenge going forward is not regulatory compliance as much as the technical ability to comply, and what those solutions might look like.
Waiting for that big case
California Attorney General Xavier Becerra told National Public Radio that although he won’t enforce the law until July of 2020, he considers it in effect as of Jan. 1. It seems as if the attorney general will seek out big cases to send a message, rather than seek to enforce every possible violation, no matter how small:
"[T]he bigger the company, the bigger the problem,” Becerra said. “The bigger the universe that has data that is used in certain ways, that could lead to that violation, the bigger the case will be.”
Like the EU’s tactic with the GDPR, California’s authorities may choose to take on big players such as Facebook, Alphabet Inc.’s Google or Amazon. Forcing those major companies to ensure data transparency will have downstream effects that could, eventually, create global standards for the digital world that companies, consumers and public officials are hoping for.
California’s data privacy law presents a formidable challenge for companies in the business of collecting and sharing data: gaining transparency over data flows.
It’s likely that big cases in the courts will do more to decide what standards will be enforced than guidance, public commentary or lobbying.