Editor's Note: This article initially appeared on TrueAccord's blog and is republished here with permission from the author.
On January 8, 2018 the California Department of Justice held a public forum to receive comments on the California Consumer Privacy Act (“CCPA”). While this law was passed in June of 2018 there is still significant work to be done to refine and implement the new legislation before it goes into full effect on January 1, 2020. I attended this packed forum and came away with some key insights from those who spoke on how businesses, consumer advocates, information security professionals, and attorneys who specialize in data privacy view the law in its present form.
I heard three common themes that were echoed by consumer advocates, businesses, and trade groups that I’ll address in more detail below.
The definitions of personal information under this law are extremely broad and ambiguous.
1798.140(o)(1) defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It goes on to list common identifying information like name, address and SSN, but also includes “unique personal identifier, Internet Protocol address, email address, account name, other similar identifiers.” The law also references inferences that may be drawn from this information to create a consumer profile. By defining personal information to as little as an IP address or inferences drawn about a consumer this law will cover many millions of records and require businesses to create complicated new tracking systems to categorize this data. This will be costly for businesses, and due to the ambiguity of this definition it may be impossible to comply or provide consumers with the data they’re requesting.
The threshold above which a business must comply is very low.
The threshold to trigger compliance could be any of three events. 1) Gross annual revenues in excess of $25,000,000, 2) Buying or receiving, or sharing (emphasis added) for commercial purposes, or 3) deriving 50% or more of annual revenues from selling consumers’ personal information. It was the second point that businesses and trade groups were most concerned with. In combination with the definition of personal information this threshold could be considered as little as 50,000 unique website visits per year. This is only 137 unique site visits per day, which could easily occur for many businesses that happen to collect IP addresses, and “share” the information with any other individual or third-party service provider. The unintended consequences of this low threshold and the ambiguity in definition of personal information will pull thousands of businesses into being required to comply with this law.
Another point raised is that it is unclear when the requirements of the law apply once a business crosses one of these thresholds. Is it immediately upon passing one threshold? Is it retroactive for the activities in the calendar year prior to passing the threshold?
The law will require businesses to link data sets together that will create personally identifiable information that otherwise wouldn’t exist and serves no business purpose. This creates more risk in the event of a data breach.
If a consumer provides a “valid request” to a business, which is ambiguous and undefined, a company must gather all consumer info that may fall under the ambiguous definition in the law and provide it to the consumer. To provide this consumer data a business will be required to combine information from various unrelated sources, that on their own would not easily be used to identify a consumer, into a single record that easily identify a consumer and serves no business purpose. Consumer advocates, trade groups, and businesses expressed significant concern about this requirement. How is a business supposed to securely transmit this information to a consumer? How does a business track these requests and prove they’ve satisfied the requirements? How should a business secure this newly created record that will surely be a hot target for hackers?
It’s clear that there is a long way to go before this law can meet its intended purpose of protecting consumers and requiring businesses to treat consumer data appropriately to be in compliance. Our industry faces unique challenges to comply with this law due to the heavily regulated nature of our business. The complications this law will add to our compliance platform cannot be understated. I encourage you to take the time now to read the law, consult with your attorneys, and provide thoughtful comments to the regulators during this open comment period. We have an opportunity to raise our concerns about this law and have a real impact on the final language for this regulation with which we’ll have to comply.