The California Consumer Privacy Act (CCPA) is, as its name implies, designed with individual rights in mind. So what can consumers expect when the law takes effect on January 1, 2020? Answering this question and more is Jocelyn Aqua, Principal, Cybersecurity and Privacy at PwC and former U.S. government privacy official, who spoke at RampUp on the Road D.C. Below is an edited transcript of our conversation.
RampUp: Do you think there are some companies that are taking a “wait and see” approach with CCPA?
Jocelyn: There are still companies that haven’t yet accepted that this is going to be the way forward. There are parts of CCPA that are confusing. There are legislative amendments still pending in Sacramento that have the potential to change the scope, in some respects, and clarify certain provisions. But the basic framework—that individuals will be able to have more insight about the type of personal information that’s being held about them, where that information is flowing to third parties, who has access to it, what businesses are doing with it, and the right to seek access and to make requests to delete and stop the transfer of that data—is not going to go away, as evidenced by the number of states considering legislation similar to CCPA.
A number of companies thought a federal law might pass that would preempt the CCPA. Even if there is a federal law, it’s very unlikely to diminish individual access rights or be crafted in a way that would significantly differ from those foundational aspects of the CCPA. Regardless, state preemption is likely to be a battleground issue behind any federal privacy bill that emerges, and it is likely that the central debate between a federal floor and a strong preemptive model will remain unresolved for the immediate future.
People might argue that CCPA doesn’t prescribe limits on data, but by forcing transparency, it makes companies think twice about who they’re sharing personal information with and for what purpose, and companies will almost certainly feel the need to institute more stringent business practices around uses of consumer data when such uses are public.
RampUp: How does that “forced transparency” manifest on the consumer side? I almost always agree to the terms and conditions without fully reviewing a huge legal document, and I can’t be the only one. Is that document really long because that company happens to have a lot of use cases of data that I should know about? Maybe that’s a sign that the company should be paring those down.
Jocelyn: This is an inherent problem. Last year, the EU data protection authorities published guidelines clarifying what transparency means under EU law, requiring companies to publish notices that were concise, transparent, and intelligible with clear and plain language, but with sufficient granularity to ensure that individuals truly understand how their data is being collected, used, or otherwise processed.
Unfortunately, trying to make privacy notices crisp and clear, but also ensure complete transparency, can be difficult to achieve. Many policies ended up complex and lengthy. The effort may be similar for CCPA, which requires companies to publicly list categories of personal information collected, shared, sold, or disclosed. Most companies will need to share more information publicly and it will be essential to ensure that those notices do not become unintelligible. In my experience, the need to have transparent data use practices has prompted businesses to take stock and reassess what they’re doing and make an effort to minimize certain data collections and uses that may have been previously unchecked.
RampUp: What will be the immediate impact of CCPA in the consumer’s eyes?
Jocelyn: I don’t expect the slew of privacy notices or cookie acceptances to come via email as was the case for GDPR. Companies that are collecting, sharing, using data, or selling the personal information of California residents will need to publish information on their websites and will need to include a link stating, “Do Not Sell My Personal Information,” hopefully with information about what that means for consumers and how the company plans to comply with this opt-out requirement.
Many consumers have become very focused on how their personal information is being shared and used. For California residents, the law provides an avenue to seek further information. At this time, it is not clear how many companies will provide individuals outside of California with comparable rights. However, since many states are considering legislation similar to CCPA, and new (although more narrowly scoped) laws have recently passed in Nevada and Maine, it will be interesting to see if companies ultimately provide individuals with access, deletion, and opt-out rights across the U.S., since a state-by-state approach could be costly and complex.
RampUp: I want to shift gears to discuss a PwC report called Protect Me: How Consumers See Cybersecurity and Privacy Risks and What to Do About It. Is the management of cybersecurity and privacy usually owned by the same team within a company or two separate teams?
Jocelyn: It really depends on the company. Smaller companies frequently have the CISO or cybersecurity lead take responsibility for all aspects of data protection over personal information, including data privacy. Sometimes privacy leadership also resides within the Office of General Counsel, or within the compliance, information governance, or IT teams, and close communication with the CISO is important. Large companies usually have multiple leaders and offices with varying levels of responsibility for data privacy, and we advise our clients to implement programs and practices to ensure the business is engaged at all levels and privacy and security teams are connected. Cybersecurity is a foundational requirement for a strong privacy program and maintaining secure data, strong access controls, and limitations on sharing data internally and externally are essential prerequisites.
The Protect Me survey went out at the end of 2017. It reflects a period of significant cyber breaches and a growing concern over the safety of personal information. What’s interesting now is that breach notices are just as commonplace, but the number of privacy incidents over data use has either risen or become more public since the survey. It’s clear from our discussions that consumer concerns about unexpected data sharing and uses of personal information have escalated.
RampUp: Do you see having a really robust privacy program and strategy as a differentiator that consumers currently care about or will care about?
Jocelyn: Definitely. I see many companies trying to differentiate themselves to earn the trust of their consumers and employees by making business decisions to implement enterprise-wide privacy programs. Doing the right thing requires a culture shift for many companies, not just with regard to providing individuals with access or other rights or increased transparency via privacy policies, but in day-to-day operations where everyone is considered to be a data steward and expected to treat data privacy as a key business imperative.
Moreover, in an ecosystem where personal data is shared across enterprises, business partners that don’t have mature programs or secure systems will find it difficult to compete. Our experience with what happened with GDPR is that it ended up lifting up many companies, even those that didn’t intend to implement a global privacy program, in order to be able to work with other companies with regulatory obligations. That is actually what we’re seeing now with regard to CCPA.