CCPA’s Impact on Analytics: A Q&A with Immuta’s Legal Engineers

One of the unknown variables with the new California Consumer Privacy Act (CCPA) law is how it will impact machine learning projects. For starters, organizations could run afoul of CCPA if they train machine learning models on data obtained from users without their permission.  To get a better perspective on how CCPA will impact users, Datanami reached out to Immuta, a provider of privacy solutions for analytic teams.

Three members of Immuta‘s legal engineering team, including Daniel Wu, a privacy counsel and legal engineer; Sophie Stalla-Bourdillon, a senior privacy counsel and legal engineer; and Chief Legal Officer Andrew Burt participated in the question and answer.

Here’s what they had to say:

Datanami: What is Immuta hearing from its customers regarding CCPA? What is it advising its customers to do?

Immuta: From the legal engineering standpoint, we recommend customers think about CCPA compliance through three key practices: masking, purpose restrictions, and auditing.

Let’s start with masking. For data that is subject to the CCPA, the Act incentivizes organizations to encrypt and redact – in other words, to mask – personal information wherever possible. Non-masked information disclosed during a security incident, for example, can result in fines of up to $750 per consumer. As a result, we recommend masking all personal information by default.

From left to right: Daniel Wu, Sophie Stalla-Bourdillon, and Andrew Burt (Image courtesy Immuta)

A key component of the CCPA also lies in limiting what categories of personal information will be used, and for what purpose, which must be disclosed to consumers and enforced throughout the use lifecycle of their data. For that reason, we recommend employing purpose restrictions on data to allow easy enforcement and monitoring of how data is being used.

The last best practice is recordkeeping. A central component of the CCPA is transparency – mandating that organizations provide consumers with a clear understanding of what data is held about them and how it’s being used. In order to provide consumers with this information, organizations must have a uniform logging system to understand their own data environment.

All that said, we sit at a very specific location within the data analytics environment: our customers are focused on automated data governance for data analytics, which means that our focus is on enabling data science internally, rather than aspects of the CCPA that involve direct-to-consumer interactions. We’ve found the lion’s share of the attention on CCPA compliance to be centered on the consumers’ interaction with businesses – such as the right of a consumer to delete their own data – which means that ensuring compliance for data analytics environments tends to receive less attention.

Datanami: The specific rules for CCPA are still in flux. Is that a concern for your clients?

Immuta: It’s hard to comply with rules that aren’t clear – or that might change in the future – and CCPA has been marked by both types of uncertainty. But that doesn’t mean that businesses can’t get started now. And while it’s still hard to be 100% compliant with a law like the CCPA – which, with talk about CCPA 2.0 in the future, is still evolving – there is a lot that businesses can and should be doing to protect their consumer data. And because CCPA was driven by data governance best practices, organizations can draw from a wide range of existing best practices govern how they collect, retain, and delete data.

One area, for example, is the definition of de-identification under the CCPA, which we see as moving closer to the Federal Trade Commission’s long-standing conception, and which businesses tend to be much more familiar with. Homing in on areas that are more familiar can create a clear strategy to exempt data from the scope of the CCPA – protecting consumer data while enabling data analytics at the same time.

Datanami: Did GDPR give Immuta customers a head start on CCPA compliance? In what ways will they be similar and different?

Immuta: Yes, there are a lot of similarities – and there’s a good reason why many describe the CCPA as modeled on the GDPR, or at the very least strongly influenced by the GDPR. That said, there are also major differences. The first one is the scope of the laws. The GDPR is an attempt to unify data protection laws of all EU Member States and regulate businesses of all sizes that are established in the EU or targeting individuals located in the EU. The CCPA, meanwhile, adopts a two-tiered approach, only regulating businesses operating in California that are of a certain size. And while individuals receive rights over their data from both frameworks, the conditions to exercise these rights are not identical – on occasions, their formulation is entirely different.

Datanami: How do you think the CCPA will impact companies’ ability to leverage data for AI and analytics?

Immuta: While the CCPA doesn’t have specific provisions related to algorithmic accountability and contestation, it will still have important effects on the ability of companies to use analytics for automated decision-making, personalization, and sophisticated prediction techniques. It’s also worth noting that inferences generated by machine learning models can fall within the definition of personal information, and therefore become regulated under the CCPA. In addition, restrictions in the CCPA may prevent consumer data from being used for a purpose incompatible with the original use case. Many machine learning processes often involve the collection of large amounts of data for reasons that aren’t always clear at the moment of collection. Increasing restrictions on data will challenge this type of “data hoarding” mentality – and force more strategic use of data and analytics to protect customer trust.

Datanami: What is your sense about the readiness of companies to comply with various requirements of the CCPA? Will they be ready come Jan 1 2020?

Immuta: We are seeing a huge uptick in interest in the CCPA, along with growing anxiety about the implications of non-compliance. At the same time, most companies are far from CCPA-ready (one survey, for instance, claims that less than 10%  of companies are currently ready). So we’re expecting an eventful enforcement environment next year – and a steep learning curve for companies that aren’t paying attention to the CCPA’s requirements.

Related Items:

CCPA: Business Threat or Opportunity?

Price Tag for CCPA Compliance: $55B

The Enlightening Side of GDPR Compliance