How CCPA will impact on enterprises and individuals [Q&A]
With the California Consumer Privacy Act (CCPA) having come into force at the beginning of the year, and Data Privacy Day coming up next week, privacy is very much in the news at the moment.
But how much of an impact will the new legislation have? And what do organizations need to do to make sure they don't lose consumer trust? We spoke to Chad McDonald, VP of customer experience at Arxan to find out more.
BN: What is CCPA going to mean for business?
CM: For the larger businesses, the international level business, I don't think it's going to be a massive change as there are a few areas that are already covered in GDPR. It will have more impact for domestic or US based organization, particularly those with a heavy footprint California.
Many organizations are going to fall in that category and I think most people are already prepped for this. They were perhaps 95 percent of the way towards CCPA because a lot of the areas GDPR already handled.
BN: Are businesses going to comply anyway, even if they're outside California or if they could claim small business exemption, simply because they need to comply with other legislation?
CM: Possibly, although I was actually a consultant and I worked with some smaller businesses, and you'd be shocked at what doesn't happen. Given that it's driven by regulation or law or some kind of financial penalty unless they were made to do it the tendency for a lot of organizations, unfortunately, is to do the bare minimum.
In the US I think CCPA is going to push past California and we'll see other states emulating the legislation. But again, I just don't see this as a huge concern for these organisations unless they're mandated to do something.
California based businesses or businesses that do businesses in California, will absolutely apply this across the board and I think that's the right thing to do. Organizations that are maybe in Florida or Georgia or the other side of the country, likely would fall outside the scope of this, but CCPA just defined a lot of things that frankly all organizations should be doing.
BN: One of the things that we've seen with GDPR is that it raises overall awareness of privacy issues. Will this to start happening in the US as well?
CM: I think what will will drive awareness is when you start seeing the first cases being prosecuted. In the case of Case of GDPR there have been some very substantial financial penalties. When we start seeing executives or organizations held accountable and really feeling the pain I think that's when the awareness campaign will really kick in.
BN: Will we see consumers maybe deciding not to deal with companies that they don't think taking their privacy seriously?
CM: In the US we've had the weirdness around the 2016 election and the Facebook/Cambridge Analytica scandal so you are starting to see the tide turn on personal awareness of how data is being used. You know there's a campaign right now to drop Facebook because of their use of personal data, it's a ground up not necessarily organization down trend.
BN: Presumably, businesses that are already geared up for GDPR won't have had a great deal more to do to comply?
CM: In terms of defining personally identifiable information, CCPA is what I call 'fuzzy'. I prefer GDPR which is very descriptive in its definition of what PII means. Organizations have a lot of challenges when they're not given a specific sort of audit checklist. I think that's going to be a weakness in CCPA, that it leaves a few things to interpretation and getting that whole idea about what belongs to the household or what can be inferred about an individual based on some sort of digital footprint is a bit vague.
BN: Will it force organizations into reviewing their own policies looking at what data they have how they use it, why they hold it, maybe even deciding to get rid of some of it?
CM: When you're talking about making inferences around data you have to understand the data you have, how it's being used, and frankly go a few steps beyond that and look at it from sort of a meta perspective. What's the data about and what does it mean? Can I pick out an individual? Are you reasonably sure, based on these disparate data elements, that you're not necessarily individually identifiable?
So for instance I'm going to understand if I own, say, preference data that says the household watches Netflix and watched this show on Washington. Does that create a digital fingerprint rather that you'd be able to use to uniquely identify this household. From the organizational perspective I expect this is going to be particularly challenging. This is where we're going to see some unexpected challenges in court, assuming this ever comes to trials.
BN: Overall, is this is this going to be a net positive for businesses?
CM: Definitely positive. The tendency in the US is where California goes the rest of the country typically follows. So I do think this is going to be a stimulus for other states and potentially the federal government wanting to drive some sort of consistent legislation. I think, first we'll see a state statement, then perhaps down the road some time you might see overall federal legislation to drive consistency.
Ultimately, what's going to happen in the US is that organizations are more than likely going to have to go with whichever legislation is more strict and more rigorous or you’ll end up with two sets of controls in each organization so it's going to be perhaps a bit of a changing landscape.