CCPA Goes Into Effect. Here’s What to Expect
The new year dawned Wednesday morning with new data rights bestowed upon nearly 40 million residents of California. The exact rules are still being written for the California Consumer Privacy Act (CCPA), but the broad outlines of the new law are already in place. How the market will respond to CCPA isn’t anybody’s guess – it’s the predictions of industry experts that we think are best.
The CCPA is important because it represents the first large-scale attempt to regulate the collection and use of data in the United States. The California State Legislature modeled the new regulation in large part on the General Data Protection Regulation (GDPR) that went into effect in the European Union in 2018. But there are important differences between the laws, and unknowns in how American residents and businesses will respond to the CCPA.
One key takeaway from the enactment of the CCPA is that the anything-goes data free-for-all that marked the last 10 years of the “big data” era is officially over – at least for residents and businesses in the Golden State. Good data management and governance isn’t just a “nice to have” feature anymore, but a requirement, says Anupam Singh, chief customer officer at data hub maker Cloudera.
“CCPA will go into effect in January 2020, and while organizations are aware it’s coming, they are not aware of how much of their data – or what data – is not compliant, and they don’t know what fines they’ll be responsible for because of their lack of compliance,” Singh says. “CSOs are concerned about the lack of authorization processes on public cloud data. This will cause tension between IT and business.”
In particular, the lack of visibility that organizations have into their public cloud environments make them unprepared for CCPA, Singh says. “As such, we’ll see a lot of organizations in 2020 struggle to become compliant and have to pay a multitude of fines for CCPA,” he predicts. “Additionally, to help organizations maintain compliance, we’ll see more cloud vendors working furiously to build products that meet the governance needs for public cloud, just like they have for regulations like GDPR. We will see CSOs build a define-once-enforce-anywhere authorization policy infrastructure.”
We are in the midst of a massive migration of data to the cloud, for both application service providers and clients. 2020 will be a critical year for organizations to sort out what legal responsibilities they have to enable their clients to move their data, says Rajiv Mirani, the CTO of cloud platform for Nutanix.
“One of the biggest challenges IT leaders will face in 2020 is data mobility,” Mirani says. “In light of compliance policies and data sovereignty laws, such as CCPA and GDPR, it is critical for companies to account for legal compliance in how their data is mobilized among clouds.”
The passage of CCPA will spur a data collection and processing backlash, particularly against the social media Web giants, sayeth Commvault executives Nigel Tozer, Matt Tyrer, and Penny Gralewski.
“The CCPA will highlight data collection and monetization in the US, just as the GDPR did in Europe,” the trio write. “This will fuel a backlash on data collection and processing in the US, especially around political ad targeting during the 2020 election year. Companies such as Facebook and Google will come under greater pressure to distance themselves from this area, and data analysis companies that are now largely unheard of will be in the news for the wrong reasons.”
Smart home assistants have been listening in on our conversations for some time, but with the heightened awareness of data rights from CCPA and other laws, consumers may start to resist the automation of massive data collection, predicts Dimitri Sirota, the co-founder and CEO of BigID.
“Overcollection of consumer data has been an issue for quite some time, but the introduction of smart home devices like Amazon’s Alexa and Google’s Nest have exponentially accelerated consumer data collection, much of which is superfluous and lacking in value,” Sirota says. “Large and small organizations alike are not taking the necessary steps to identify which data is sensitive and which should be deleted. By not making this distinction and just storing all the data they get, companies are exposing themselves to potential security and compliance risks. As rash, unnecessary and potentially invasive data collection becomes even more pervasive in devices across the home, I expect the public backlash to grow louder in the new year.”
How we square the heightened awareness of data use/abuse with the benefits of AI and machine learning will be a major story in 2020. In fact, we could be reaching an inflection point on the topic, which will result in citizens becoming more knowledgeable about the different types of personally identifiable information (PII) they share, says Jim Kaskade, CEO of Conversica.
“’First-class citizen data’ includes information such as healthcare records and Social Security numbers, and the average consumer feels that their rights regarding this information have increasing governance,” Kaskade tells us. “’Second-class citizen data’ is the metadata that’s created around the exchange of information by the machine throughout the consumer’s digital journey. And based on a person’s behavior, AI can determine your gender, political attitudes, personal preferences, and affiliations – all based on inferences. Even under existing regulations, there’s still potential for bad actors and their use of data using AI.”
First party data – or data that organizations have collected themselves about their clients or operations — will be king in 2020, particularly as it becomes harder to collect third-party data via cookies, predicts Charmagne Jacobs, vice president and head of global marketing and partnerships at Adslot.
“Given current concerns, first-party data will become more important to programmatic buyers, for several reasons,” Jacobs says. “First, marketers are increasingly concerned about consumer privacy as regulations like GDPR and CCPA install stringent rules over what can and cannot be collected without consumer consent. This also ties into the demand for transparency from marketers, who want to know that the data they’re using isn’t just privacy-compliant, but of high quality.”
CCPA is brand new, but GDPR is relatively new too. In light of the fast pace of change in the data space, regulators will need to be flexible to account for unexpected changes, says Sam Humphries, senior product marketing manager for Exabeam.
“In all of its good intentions, it is still early days for the GDPR,” Humphries writes. “Therefore, it has not yet been a silver bullet in safeguarding consumer privacy. Possibly the most salient point is that as a security issue, consumer privacy will continue to evolve. Because of this, newer laws and regulations, like CCPA, must be flexible and evolve over time, too. We already see this happening in the UK, with the ePrivacy Regulation, which aims to put specific responsibilities around provisions that the GDPR treated more generally. Regardless of how much CCPA is intended to protect consumers, it remains to be seen how tolerant they will be at dealing once again with the extra ‘clicks’ and notifications that come with consent-based security measures.”
What’s the relationship between personhood and data? It’s an interesting question, one that doesn’t seem to have a good answer at the moment. But it’s a question that Matthew Halliday, the co-founder and vice president of product for Incorta, is thinking about in 2020.
“The rapid emergence of AI and IoT created an unprecedented flood of data, much of which revolves around the very things that make us who we are – from the time we wake up, to our grocery delivery, even our heart rate,” Halliday writes. “As more and more individuals are confronted with AI in their day to day, from job interviews to McDonald’s orders, your digital identity will become as much a part of who you are as your DNA. The problem? Data can be owned – so what happens when someone owns the thing that makes you, you? As CCPA and GDPR further restrict what companies can do with personal data, 2020 will see us redefine what it means to be a person – and with that, rewrite the rules of dealing with data.
Organizations have been playing fast and loose with their clients’ data for a long time, and it’s going to take time to build processes to get it under control. That’s as true for governance as it is with privacy, according to Hilary Wandall, senior vice president of privacy intelligence for TrustArc.
“GDPR, CCPA, and pending U.S. federal and state legislation are teaching us that unlike other areas of compliance, privacy compliance is not a project — it requires development and management of continuous operational processes across the organization,” Wandall says. “Individual rights and user control are getting the most attention from legislators because the public is waking up to what’s happening with their data — and they aren’t happy, but thoughtful state and federal proposals also recognize the pivotal roles of organizational accountability and risk management in addressing the root cause of public concerns.”
Will CCPA pave the way to a national data law? Nobody knows for certain, but it’s a possibility that Wendy Foote, senior contracts manager with WhiteHat Security, is closely following.
“Although the CCPA will be good for consumers, affected companies will have to make a significant effort to implement the requirements,” Foote says. “It will add yet another variance in the patchwork of divergent U.S. data protection laws that companies already struggle to reconcile. The CCPA is the first law of its kind in the U.S., and it could set a precedent for other states. And because it applies to most companies who do business with individuals residing in California, the sweeping new law promises to have a major impact on the privacy landscape not only in California, but the entire country.”
This is our third collection of expert predictions for 2020. Stay tuned for more predictions in the coming days.