In late June, 2018, California passed a consumer privacy act, AB 375, that could have more repercussions on U.S. companies than the European Union’s General Data Protection Regulation (GDPR) that went into effect this past spring. The California law doesn’t have some of GDPR’s most onerous requirements, such as the narrow 72-hour window in which a company must report a breach. In other respects, however, it goes even farther.
The California Consumer Privacy Act (CCPA) takes a broader view than the GDPR of what constitutes private data. The challenge for security, then, is to locate and secure that private data.
What is the CCPA?
AB 375 allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Which companies does the CCPA affect?
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law. Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States.
An amendment made in April exempts “insurance institutions, agents, and support organizations” as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).
When does my company need to comply with the CCPA?
The law goes into effect on January 1, 2020. As a practical matter, companies need to have their data tracking systems in place by the start of 2019, since it gives consumers the right to request all the data a company has collected on them over the previous 12 months. That’s a very tight timeframe.
What happens if my company is not in compliance with the CCPA?
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record. “If you think about how many records are affected in a breach, it really increases very quickly,” says Debra Farber, senior director for privacy strategy at BigID. Since the bill was put together and passed in just a week, it will probably see some amendments, she adds. “Things like the fine amounts are likely to change.”
There’s also another potential financial risk, Farber says. “The bill provides for an individual’s right to sue, for the first time ” she says. “And it allows class action lawsuits for damages.”
Again, there’s a 30-day window that starts when the consumers give written notice to a company that they believe their privacy rights have been violated. “If it’s not cured, and the attorney general declines to prosecute, then they can bring a class action suit,” Farber says. “And it’s not just around breaches.”
For example, the law specifies that companies must have a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue. They can also sue if they can’t find out how their information has been collected or get copies of that information. “It can be around anything,” Farber says.
The law assigns specific penalties should unauthorized access occur, whether through a breach, exfiltration, theft, or “disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices,” As currently written, AB 375 allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
“Add in all the other breach related costs — IT response, forensics and recovery, legal, notification, and so on — and this could push a breach into the realm of an existential threat to many businesses,” says Chris Prevost, head of runtime security solutions architecture at Imperva.
In general, if a company took the steps needed to comply with the GDPR, then it’s most of the way there for the California Consumer Privacy Act. At least, it’s closer than if it isn’t ready for GDPR, says Eric Dieterich, data privacy practice leader at Focal Point Data Risk, LLC. “Some multinationals made changes for their European markets, but maybe didn’t roll it out to U.S.-based activities, so there might be a scoping change,” he says.
What data does the CCPA cover?
The California law takes a broader approach to what constitutes sensitive data than the GDPR. For example, olfactory information is covered, as well as browsing history and records of a visitor’s interactions with a website or application. Here’s what AB 375 considers “personal information”:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes
An amendment, AB 874, currently awaiting the governor’s signature would exempt publicly available, deidentified and aggregate consumer information from being classified as PII. Publicly available information is defined as data available and maintained from government records.
The CCPA originally covered employee as well as consumer data. An amendment passed in April, however, exempts employee data from the regulation. Another amendment, AB 25, partially exempts personal information collected from job applicants, owners, directors, officers, medical staff, and contractors. This exemption would expire on January 1, 2021. AB 25 was awaiting the governor’s signature at this writing.
What are the key privacy provisions in the CCPA?
Companies must allow consumers to choose not to have their data shared with third parties. That means that companies will now have to be able to separate the data they collect according to the users’ privacy choices.
In addition, while a company cannot refuse users equal service, it can offer incentives to users who provide personal information. “This provision might be subject to change, but as stated today, it gives you the ability to offer discounts to people who are willing to have their data shared or sold to third parties,” says Dieterich. “Traditionally, systems aren’t designed so that your pricing structure might change depending on your privacy choices. That’s a new concept that has very technical implications.”
Another major difference with GDPR is that the California law allows customers much greater access to their records, says Subra Ramesh, SVP of products at Dataguise. A California consumer has the right to find out what information a company collects about them. Most companies are going to have trouble pulling that information together. “First, the amount of data they collect is already massive and continues to grow, often in the hundreds to thousands worth of terabytes, and with enterprise-level organizations processing petabytes of data,” he says.
That data is contained in multiple storage platforms, in different file times. “Most file search tools lack the ability to search across the modern file repository ecosystems so prevalent today,” says Aaron Ganek, CEO of Cloudtenna. “Cross-silo file management is a major challenge. It is difficult to understand context for each file if they are scattered inside different repositories.” Plus, compliance issues are associated with pulling together data, he says. “Legacy enterprise tools struggle to observe the disparate permissions and security models, violating the very laws and regulations they’re being used to satisfy.”
Then there’s the time limit. “After the access request, a company has 45 days to provide them a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months, it must give the names and addresses of the third parties the data is sold to,” says John Tsopanis, privacy product manager at 1touch.io. “You can’t do that in Europe.”
Since the rule covers the previous 12 months of records, companies have to start complying six months from now, he says. Then, on January 1, 2020, every company has to disclose every other company they sell data to. “It will change the privacy landscape in America forever,” Tsopanis says.
What does the CCPA mean for security?
AB 375 is light on requirements around security and breach response when compared to the GDPR. As stated earlier, the law does define penalties for companies that expose consumer data due to a breach or security lapse. It also allows courts to offer “injunctive or declaratory relief,” or “any other relief the court deems proper.”
Businesses are not required to report breaches under AB 375, and consumers must file complaints before fines are possible. The best course of action for security, then, is to know what data AB 375 defines as private data and take steps to secrure it. Again, any organization that complies with the GDPR likely does not need to take further action to comply with AB 375 in terms of securing data.
The AB 375 requirements around tracking, accessing, and storing data mean security teams will need to work closely with database administrators, says Terry Ray, senior vice president and fellow at Imperva, a cybersecurity vendor. Any tools selected to help deal with AB 375 will not only need to have full visibility into data stored across the entire heterogenous corporate environment, but also ensure that access to this data is properly secured. “Lastly, they will need these tools to cooperate with the new consumer portal by sharing specific consumer data with the verifiable consumer requesting it,” he says.
If the data is stored with cloud providers, the problem just gets worse. For example, employees might set up a file-sharing account to keep track of marketing or sales contacts. “It’s not surprising the large tech companies like Google and Facebook opposed the bill,” says Kevin Bocek, VP of security strategy and threat intelligence at Venafi. “Controlling the privacy and personal information that flows between machines is incredibly difficult, and a major challenge for all businesses.”
A work in progress
The bill was put together in just seven days because legislators wanted to avoid a ballot initiative to pass an even stricter law that was opposed by many tech companies. “Right now, many of the provisions and definitions conflict with one another,” says Andy Dale, general counsel and VP of global privacy at SessionM. “The law becomes effective in 2020, so expect amendments between now and implementation — but the core tenets and rights are likely to remain.”
One problematic area is whether a company can charge consumers different prices based on their privacy settings. For example, many companies have an option where a consumer can upgrade to a paid tier where they don’t see any ads. Here, the law as currently written is a little bit contradictory.
“If the consumer exercises his rights under the regulation, businesses cannot provide a different level or quality of product, goods or services to the consumer,” says Pravin Kothari, CEO of CipherCloud. “On the other side of the coin, according to the regulation, businesses are not prohibited from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.”
It looks like California is trying to define a framework where consumers can get paid for sharing their data, Kothari says. “In this area the legislation is a bit visionary,” he says. “We’ll see in practice how this actually works out.”