CCPA Updated Regulations: Working through the Operational Impact
A new set of modified regulations for the California Consumer Privacy Act (CCPA) is here: while the US’s first privacy law is not enforceable by the AG’s office until July 1, 2020, these supplemental regulations to the law are critical guidance for businesses on compliance and procedures for consumers to exercise their new-found rights.
As was the case with the first set of proposed regulations released in October last year, the new regulations introduce specific operationalization impacts in the first instance. Even more broadly, these updates compel covered enterprises to formulate a sustainable, repeatable, and demonstrable privacy compliance strategy.
We’ve seen more than a few enterprises opting for a “CCPA light” approach based on the strategy they won’t have to contend with a large volume of DSARs. These latest updates, however, point to the need for both in-depth knowledge of enterprise data and the ability to automatically tie the data knowledge to reporting and categorization requirements to reduce manual overhead and manage compliance risk.
At BigID, we’ve identified five impactful elements of the regulations that call into question the strategy behind the “CCPA light” compliance approach, and point to the long term benefits of data-driven approach that can be easily integrated with workflow management:
1. Clarification to Personal Information (PI) Definition
What it means: Data is considered PI depending on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household… For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.'”
Impact: Determining what data types and attributes are covered by the law is a cornerstone of compliance programs. The language and IP Address example seems to articulate that if a data attribute is not directly associated to a consumer, and there is no reasonable method to associate that attribute to a consumer, then it would not constitute PI. While the language is ambiguous, businesses still have to definitively know whether a data attribute is link-able in order to constitute PI. The only way to be able to make this assessment is by data mapping, classifying, and applying machine learning to understand the context of the data processing.
2. Record Keeping Obligations (General)
What it means: Businesses must maintain a record of DSAR requests for a minimum of 24 months. These records can be maintained in a ticket or log format as long as it includes date of request, nature of request, the manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied. This information can only be used for fulfilling the CCPA compliance process. The business must maintain appropriate technical/ administrative security measures in maintaining these records.
Impact: The AG regulations establish documentation requirements that did not previously exist in the original version of the law. Businesses must now be able to maintain records of individual DSAR requests – not just respond to them. For organizations that have manual fulfillment of DSARs, this regulation introduces additional overhead for documentation. Creating and maintaining this documentation adds another direct cost to privacy programs, especially if the data collection and DSAR intake process are disparate elements with inconsistent processes.
3. Record Keeping Obligations (Specific for Big Businesses)
What it means: A business that annually buys, receives, sells, or shares (for commercial purposes) the PI of 4 million or more consumers in a calendar year must provide the following metrics in their Privacy Policy: (1) number of requests received/complied with/denied, (2) number of requests to delete that business received/complied with/denied, (3) number of opt-out request received/complied with denied, and (4) median or mean number of days it took the business to substantively respond to these requests.
Impact: Businesses who process data of more than four million consumers will need to account not only for what data is included in an individual DSAR, but also how they manage data rights more broadly. Assembling these metrics will result not only in additional overhead, but also greater complexity in the absence of a well-structured privacy program that integrates workflows and data inventorying.
4. DSAR “Request to Know” Prohibitions
What it means: In response to a consumer’s DSAR request to know information, the business’s response cannot disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.
Impact: While businesses need to notify their consumers that they have this information, they cannot reveal the actual data attribute in plain text. Instead, they must consider alternative methods like masking specific data fields and attributes. Any effective reporting tool should allow customers to be able to configure masking for each stage of the request lifecycle
5. Clarification of “Household” Definition:
What it means: The definition of a household is clarified to mean a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.
Impact: Connected IoT household devices like Alexa, Ring, Roomba, smart TVs, and connected cars generate enormous amounts of data. This IoT data is typically transported within enterprises using data streaming technologies. Businesses must be able to discover and classify data in motion while then correlating this data back to the original “household.” In addition, they must be able to delineate which individuals reside in the same household.
The direction that the AG’s office is moving is clear: more accountability for data processing and collection, and stronger requirements to demonstrate that covered enterprises take these requirements seriously. These updates not only bring greater clarity, but also point to increasing levels of complexity in implementing what is the first comprehensive privacy law in the US, with more on the horizon.
Many of our customers have made investments in data discovery and privacy compliance automation to underpin and safeguard brand trust – and integrating personal information data discovery and classification with advanced data rights management has the added benefit of ensuring efficiency, automation and accuracy for evolving privacy regulatory requirements. Knowing your data facilitates an agile response to shifting reporting requirements: see how BigID helps with a 1:1 custom demo.