• According to Justin Antonipillai, CEO and Founder of WireWheel.io, “privacy is a fundamental human right, a critical trade issue, and it’s a bet-the-company issue for almost every company.” We were intrigued by his perspective, so we invited him to speak on the RampUp podcast to share his thoughts on how CCPA touches on each of these aspects of privacy.

    Hear Audrey Luk, Content Strategist at LiveRamp, and Albert Wang, Product Marketing Lead, Consent Management at LiveRamp, interview Justin below, or read an excerpt of our conversation:

    Audrey: I like what you say on your website, that privacy is a fundamental human right, a critical trade issue, and it’s a bet-the-company issue for almost every company.

    How do you think these three points are addressed with CCPA specifically? Or are they?

    Justin: A lot of them are tackled by CCPA. When you see the approach that’s underlying CCPA, it’s really about putting Californians back in control of their information, giving them choices about who has access to that information, and making sure they know what it can be used for. And really, when I say privacy is a fundamental right, that’s the way we think of it here at WireWheel.io. People need to be put back in control of their information. That means they should be able to understand what information is being collected about them, who it’s being shared with, and why. And that’s one of the critical underpinnings of the CCPA.

    The other two things I mention on the website are that it’s a critical trade issue—it’s a bet-the-company issue for almost any company. That’s certainly one of the drivers of the new California law. When you open up the newspaper or turn on the TV, every single day there’s a company that has taken for granted the trust that they built with their customers and has done something with their information that makes their customers feel like they’re being mistreated. 

    When we look at the major requirements of the new California Act, and certainly laws that are being considered all around the country, most of these laws are really about rebalancing things when it comes to personal information, and giving people more control about what’s happening with their information.

    Audrey: Even though parts of CCPA are still being clarified, what do you expect this new reality will look like come January 1st of next year?

    Justin: We focus companies on starting with some basic things about their applications or services. If you focus on those things, you’ll be able to show that you comply with CCPA, no matter what the final regulation looks like. 

    Those fundamental things are to understand that you’ve given your customers a real understanding of what information you’re collecting about them, including by category; who you’re sharing that data with; what it’s being used for in clear, crisp, understandable terms; and giving them the choice to decide that if you’re using that information other than to provide the specific service, they’re aware of it and have the chance to opt out.

    In terms of what it looks like, the other major challenges we’re seeing as companies are trying to tackle CCPA are largely focused around the requirements of individual rights requests. For example, a company has to provide a simple way for their customers to ask that their data be deleted, or that it be given back to them. When you actually get to implementation, there are some really interesting challenges about how to verify and authenticate the request, and how to make sure you’re fulfilling them in an efficient, timely, and most importantly, secure manner.

    That’s what I think the major challenges are going to look like between now and when the law goes into effect. But I do think it has the chance to really change the way people do business in the United States, with respect to their personal information.

    Albert: How would a company go about processing data access requests? 

    Justin: The way we’ve seen the California law develop, there are a couple of clear rules that I think are going to come out soon. 

    First of all, you have to be able to give your customer a way to make a request, but you also have to enable people who do not have an account with you to register a request. You can’t just say no to every person who does not already have an account with you when it comes to an individual rights request.

    Second, you have to have a process if somebody doesn’t have an account, so you can actually verify, authenticate, and have a good degree of certainty that you’re giving the right person the right data. Because there’s almost always a balance. You want to be able to turn the data over, but companies should not feel like they’re being put in the place of having to turn that data over to a person when they’re not confident it’s the right person. We’ve spent a lot of time designing systems to give our customers ways to both authenticate and verify a consumer request. 

    Third, there’s a very strong principle when it comes to these privacy laws, both under GDPR and CCPA, that a company is not making an individual give the company more information in order to fulfill an individual rights request. That makes sense, right? You shouldn’t have to be forced to tell more about yourself just to get back information. And there are a number of ways we’ve tackled those kinds of requirements, to ensure that people, at the end of the day, can get their data without giving the custodian of their data more information.

    And finally, almost every regime we’ve seen around individual rights requests, whether it’s California, Nevada, Vermont, or GDPR, really focuses on ensuring that when you’re fulfilling a rights request, you’re doing it in a safe and secure way. Again, most of these laws spend a fair amount of time ensuring that in getting people their data back, you don’t do more harm. Ensuring that you have a safe, secure, and encrypted environment is absolutely critical when it comes to individual rights requests.

    Audrey: Since you mentioned a number of states as well as GDPR that have privacy regulations, we wanted to get your thoughts regarding  federal-level regulation. What’s on the horizon for a country-wide regulatory initiative?

    Justin: It’s been a long time since I can imagine an issue that has such broad support as protecting privacy. But I suspect, as a practical matter, between now and the end of 2020, it’ll be very difficult to pass another law that’s comprehensive on the privacy front. And given how much momentum there already is in place with the new California law and state laws passing, I suspect there will be a number of state laws that are largely consistent with one another, that go into effect before there’s a new federal law. I think it’s ultimately in the United States’s interest to pass a federal privacy law, not only for consistency purposes, but because there are some fundamental values that are uniquely U.S. values that should be reflected on the world stage. It’s going to be a challenge to get that done in the next year and a half.

    Audrey: What are those unique values that should be reflected on the world stage? 

    Justin: I’ll give you two.

    One is the First Amendment. GDPR contains rules, including on the right to be forgotten, such that, for example, a newspaper can be obliged to remove publicly available information. And we can’t do that, for example, under the First Amendment. Now, I’m not saying it’s an all-or-nothing in Europe. There’s a lot of ways in which Europe has different balancing acts. But in the U.S., we have a fundamental view about freedom of the press and the ability of the press to print public information. And that value would be much more easily reflected on the world stage if we had a federal privacy law.

    A similar value is around the sale of information, or the use of information. In the U.S., most people you talk to will say, ‘if I know what’s happening with my information, and I’m making a knowing choice, I should be able to do whatever I wish with that data. I should be able to sell it. I should be able to give my information to somebody as I see fit.’ And there are principles in the GDPR that say that sometimes a federal or a European regulator can decide that you can’t sell your data or transfer it. 

    Now, again, this isn’t an all-or-nothing thing, but it is a fundamentally different way to look at things. I think a federal privacy law would go a long way to promoting these core U.S. values.

    Audrey: Thank you so much, Justin. I’m sure we’ll chat again before CCPA comes to light on January 1st, and certainly before any federal law is on the books. Thanks again for your time.

    Justin: Thank you. I really enjoyed chatting with you. I look forward to the next one.

    The information provided in this blog does not constitute legal advice. Please consult your legal counsel to obtain legal advice.

    Subscribe to RampUp