Legislators around the world want to give consumers more control over their data and personal information in the digital age.
Already the effects of Europe’s General Data Protection Regulation (GDPR) are being felt by businesses worldwide. Yet the California Consumer Privacy Act (CCPA), a forthcoming privacy law from the home of Silicon Valley, might be even more significant and impactful in the long run.
Even as the global privacy reckoning gathers momentum, there is already a patchwork of laws impacting Australian businesses — and the local consumer watchdog is recommending serious local reforms.
What is CCPA and why does it matter?
Following the introduction of Europe’s GDPR last year, the next significant piece of data privacy legislation is being designed by Californian regulators.
The California Consumer Privacy Act (CCPA) was passed in June 2018 and takes effect in January 1, 2020. It will be the most comprehensive privacy law in the US, affording Californians similar data rights as European residents now have under GDPR.
Meanwhile Gartner predicts that by 2022, half of our planet’s population will have its personal data protected under local privacy regulations in line with the GDPR — up from ten per cent today.
The spread of data laws is placing extra pressure on businesses, and has given rise to a generation of products and services whose developers aim to solve these emerging challenges.
At the heart of CCPA is the enhanced ability for Californian consumers to control how their personal information is used, disclosed, and sold. It imposes specific restrictions on how businesses collect and process personal information.
As with GDPR, the scope of the law does not depend on where a company is based, but on whose data it is storing. Australian businesses will have to comply with CCPA if they are collecting and/or selling the personal information of any of California’s 39 million residents, provided they are of a minimum size. But just as significantly, with California’s Silicon Vally the engine of the dotcom innovation, CCPA will have an outsized influence on the next generation of app and platform developers.
The CCPA affects businesses with revenues above $US25 million, or which hold the personal information of 50,000 people or more.
Penalties include fines up to $US2,500 for each unintentional violation and $US7,500 for each intentional violation. Additionally, the CCPA establishes consumers’ right to private action for data breaches, with statutory damages ranging from $US100 to $US750 per consumer per incident, or actual damages if greater.
Earlier this year US media reported the law could be superseded by a federal US privacy law, but time is running out. The Democrats have said they will not support any law which waters down the Californian rules.
Although the law is state-based, as the US state with the largest population and economy, California’s rules will likely influence the rest of the country. According to research from Gartner, by June this year a dozen states had introduced draft laws similar to — or in some cases exceeding — the CCPA in scope and impact. Those laws would apply to 40 per cent of the total US population.
Gartner analysts Nader Henein and Lydia Clougherty Jones write, “A common thread in the majority of federal and state drafts that we have reviewed is the concept of subject rights requests. SRRs cover a defined set of rights where individuals have the power to make requests regarding their data, and where organisations handling this data must address these requests in a determined time frame (45 days in the case of the CCPA).”
“Do Not Sell My Personal Information”
Under CCPA, Californians will have the right to know what personal information a business has collected, delete that information, and know whether personal information is sold or disclosed — and to whom.
They will also have the right to say no to the sale of personal information.
While the rules are largely in line with GDPR, a briefing note from US law firm Gunderson Dettmer claims the Californian law places extra burdens on businesses.
“A CCPA-covered business is required to respond to at least two requests from any individual consumer in a 12-month period, provide a toll-free number for consumer information requests, and prominently link to an opt-out page from the company’s homepage or any other page where personal information is collected,” the lawyers write.
“Additionally, the definition of personal information is broader under the CCPA than it is under the GDPR, and it covers information that can be linked with households and devices as well as to natural persons.”
What are companies doing to prepare?
While some amendments are still in play, CCPA will require organisations to get their data houses in order before the six-month grace period ends mid-2020.
As well as building clear opt-out buttons, organisations will need to map what data they are collecting, where it goes, and what mechanism they have in place to perform that audit at scale.
Gartner notes that organisations’ siloed environments and fragmented data management practices mean that many will struggle to create a coherent data ecosystem. That makes it inherently difficult to respond when a consumer wants to know what data you have on them and to whom you’ve given it — and to delete it.
“Few organisations today possess the required capabilities for consent and preference management needed for CCPA compliance,” the analysts write.
“Enabling individuals to monitor the collection, use and sharing of their personal data or to revoke consent for certain processing activities is a foundational requirement in preparing for the new law.”
It requires that businesses maintain up-to-date knowledge of the personal data they hold, and that they can act on that data.
Gartner predicts that by 2021, 80 per cent of the negative financial impact of the CCPA will come from failure to implement a scalable subject rights workflow, as opposed to regulatory fines and litigation.
Scalable data rights
The analysts recommend building a portal to handle the new requests. For example, Microsoft launched its global privacy self-service portal after the introduction of GDPR. According to Gartner, the software giant received 18 million requests — of which 6.7 million (37 per cent) came from the US — in the first year.
“Had Microsoft instead handled the process manually, an approach taken by many organisations — at say even the unrealistically low cost of $US100 per request — the financial outlay would have totalled $US670 million in the US alone.”
The CCPA will only serve to educate more consumers of their rights, meaning a greater volume of requests to process.
Gartner recommends selecting five accounts at random to measure how long it takes to complete a user request, what it costs, and how many the organisation could handle in a specific time frame.
Laws like CCPA and GDPR create problems for businesses that operate across privacy jurisdictions. Depending on the scale of the organisations, that complexity is compounded by the use of multiple marketing technology systems all doing much the same job — email marketing, for example.
Often run independently across different divisions and countries, many of these systems are poorly integrated.
This creates both a customer risk — through a poor experience when a customer’s preferences are not reflected in company behaviour — and at a compliance level when the company fails to meet regulatory standards.
Yet they also generate new pricing signals for innovators. Already, entrepreneurs have sensed a market opportunity that is lucrative and likely to grow rapidly.
San Francisco-based Datagrail is one such company. Founded by Daniel Barber, Ignacio Zendejas, and Earl Hathaway, the business provides a centralised facility for brands to allow consumers to update their consent preferences.
Datagrail’s solution propagates those preference changes across its customers’ technology stack, which might typically include multiple email solutions from companies such as Adobe, Oracle and Salesforce, and perhaps a plethoria of other smaller point solutions in different divisions.
“Email preferences and consent sit at the heart of this issue,” says Daniel Barber, who is also the company CEO. “That’s where the problem often originates.”
He stressed the need to appreciate the impact beyond regulatory risk. “The risk of non-compliance is not just the fine, though the fine is not trivial in any of these regimes. The other risk is brand degradation.”
With the impact of laws like CCPA and GDPR it is little wonder that Datagrail is already attracting some high profile investors. Among them, is Steve Lucas who was previously CEO of Marketo when it was an independent software vendor, and who runs that business for Adobe. He, along with Okta Ventures and Basis Set Ventures, recently joined Cloud Apps Capital Partners on the company’s registry as part of a $US5 million capital raising.
Lucas told Which-50 many companies are still grappling with the consequences of GDPR (and soon CCPA), even as regulators are starting to bare their teeth.
For instance, the UK Information Commissioner’s Office fined British Airways $US230 million and Marriott $US99 million for data breach-related violations under GDPR.
“Every CMO and CIO should know GDPR inside and out, and ensure their organisation’s compliance. Not doing so will inevitably lead to costly fines — and even worse, violating consumer trust,” he said.
“The question is, why is ensuring GDPR compliance so difficult? The answer lies in the complexity of a given organisation’s technology infrastructure, which is laden with dozens if not hundreds of systems. Any one of those systems, which seldom talk to each other, can hold various customer records.
“In this case, something as simple as a customer opting out of an email subscription can require a thorough scan of myriad aforementioned products and databases to ensure the record is removed or do not contact action is indicated,” he said.
“Orchestrating this kind of compliance is a nightmare for CIOs, CMOs and Data Officers alike … which is also why new solutions are emerging to orchestrate end-to-end compliance actions needed to stay on the straight and narrow data path.”
And Lucas notes that CCPA goes even further than GDPR, as it protects the data not only of individual consumers, but entire households.
“I expect CCPA to further accelerate the need for data privacy orchestration of companies which want to stay off the hot seat. Above all else, it amazes me how few executives that are charged with protecting consumer data held within their company have actually read this legislation.”
What about Australia?
While there have been significant reforms to data privacy regulations overseas, Australia’s regulatory framework has not kept pace with the volume and scope of data now being collected and exchanged.
Businesses dealing with Australians’ data enjoy limited definitions of personal information and can rely on consumers’ “implied” or “express” consent to collect it rather than the informed and unambiguous consent requirements of foreign regulators. And when businesses do get it wrong, often sanctions are light relative to the size of the offenders.
However, the recent Digital Platforms Inquiry by the ACCC has highlighted these limitations, among others, and made some of the strongest arguments yet for serious reform.
An 18-month investigation by the Australian consumer watchdog into digital platforms uncovered systemic problems in Australia’s digital economy, and recommended economy-wide reform of privacy regulation. The regulator concluded that the 30-year-old Privacy Act, on which most privacy cases are determined in Australia, is no longer sufficient.
“Numerous amendments have been made to the Privacy Act, but these incremental changes may not be sufficient to address the volume and significance of privacy and data protection issues proliferating in the digital economy,” the final report read.
“The data practices of digital platforms … demonstrate some significant gaps in Australian privacy laws.”
According to the competition regulator, in a digital economy Australia’s privacy laws are not a strong enough deterrent for exploitative data practices, nor do they offer adequate recourse to consumers.
The ACCC stopped short of recommending Australia adopt GDPR standards, but noted that there are lessons to be learned from the EU’s much stricter regulation model. It also considered reforms in other jurisdictions, including the upcoming CCPA.
“… closer alignment of Australian privacy regulations with the GDPR’s higher standards of protection could significantly increase the effectiveness of Australian privacy law and increase the accountability of entities processing the personal information of Australian consumers,” the report read.
Part of the ACCC’s proposed reforms, like the CCPA and GDPR, includes the requirement for organisations to erase any personal information they have collected about consumers at their request. In line with the EU and the upcoming Californian requirements, organisations dealing with Australians’ data would have to erase the information without undue delay.
The regulator also argues that Australia’s consent requirements need tightening. Local law firm Corrs Chambers Westgarth says this particular recommendation would actually go further than GDPR, which is generally regarded as the high-water mark for privacy and data regulation.
Writing following the release of the ACCC report earlier this month, the lawyers argue the recommendations around consent appear “stricter” than the EU requirements.
“The ACCC is proposing that consumer consent be required for any collection, use or disclosure that is not necessary for the performance of a contract to which the consumer is a party (with some limited exceptions).
“Significantly, the ACCC does not recommend adoption of the GDPR exception for use or disclosure for the ‘legitimate interests’ of the collector. Separately, it has recommended that valid consent must be clear, affirmative (i.e. default settings should not allow collection and processing), specific (i.e. consents should not be bundled), unambiguous and informed.”
After three decades of incremental changes to Australia’s privacy regulation, laws fit for the digital age could be coming thick and fast. The Morrison government has said it will respond to the inquiry and its recommendations by the end of the year.