Published 19 December 2019

Abstract

Pervasive privacy regulations are gaining traction at a global level with escalating  financial penalties. Current and rapidly emerging laws primarily address those organizations that collect, process, and share an individual’s personal information.

This report looks to demystify the most significant privacy and data protection legislation and to net out the most essential and challenging requirements. We’ll start with an overview of the current and upcoming privacy regulations and then focus on the California Consumer Protection Act (CCPA) in light of the European Union’s General Data Protection Regulation (GDPR) to develop an understanding of the breath, scope and depth of what is involved to be in compliance with the California act.

This is the first of a series of reports designed to provide TechVision Research clients with practical information to assist in developing plans, processes, and procedures for becoming compliant with multiple conflicting yet overlapping privacy laws. While this report primarily focuses on CCPA since this is the current legislation that was recently defined and will be enforced in 2020, the core principles described in this report will apply to many global privacy and data protection legislation.

This report provides a tactical and strategic context for addressing key regulatory controls in the form an overarching privacy strategy, high-level recommendations and next steps to understand the risks and move towards CCPA compliance.

Authors:

John Myracle Principal Consulting Analyst [email protected]	Gary Rowe CEO, Principal Consulting Analyst [email protected]
Doug Simmons Principal Consulting Analyst [email protected]

 

Executive Summary

The introduction of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have increased industry and enterprise attention on privacy and data protection given the financial penalties associated with these regulatory controls. Some recent examples include:

• Google was recently fined $57M USD by the French Data Protection Authority in January, 2019, after being found to be noncompliant with the GDPR, including non-compliance with the “reasonably accessible” requirement.
• The Federal Trade Commission (FTC) is investigating Facebook to violations of user privacy under the 2011 FTC agreement requiring Facebook to obtain users’ “affirmative express consent” whenever Facebook shares an individual’s ‘private’ data with a third party. Facebook announced in April 2019 it anticipates being fined up to $5B USD.

This report examines the state of privacy regulations, the impact on our enterprise clients and concludes with a set of suggested best practice recommendations. While the primary focus is on  CCPA, much of the guidance applies to other rapidly expanding state and global privacy regulations. Given the volatility in this area and rapidly expanding Digital Enterprise initiatives, organizations should be approaching privacy with a set of services that are agile, dynamic and flexible. Specific observations and enterprise considerations include:

• Organizations will struggle to become compliant given the growing number of diverse state/jurisdiction-centric statutes and related regulatory requirements. Many of these regulations don’t build on or correlate with one another and, as we describe in this report, such inconsistencies already exist between the GDPR and the CCPA.
• Future privacy regulations will move towards individually-controlled data in contrast to the current online service/company-centric designs. In the meantime, we suggest that ongoing regulatory compliance efforts focus on providing increased user-centric control and opt to get consent, when possible and appropriate.

In summary, the privacy regulatory landscape is in flux. The recently-enacted CCPA becomes effective on January 1, 2020 and enforceable 6 months later.  But this is the tip of the iceberg in that many other States are expected to follow this path. Thus, there is increasing urgency for businesses to proactively address data privacy by implementing increased user control, consent management and other appropriate controls. This report provides a foundation for to help enterprises focus on the most critical areas emerging within CCPA and also provides overarching guidance in helping organizations mitigate risk in this rapidly evolving and increasingly aggressive regulatory environment.

Introduction

This paper looks to align the principles and requirements found in the CCPA with the European Union’s GDPR as both are directed to providing greater control to individuals over their Personally Identifiable Information (PII). These common principles can provide input towards and a context in support of a viable enterprise privacy strategy.

Under this alignment, this paper culminates with a set of tactical actions that can be taken now, primarily focusing on the CCPA. We will also consider GDPR to help determine a “compliance requirements baseline” in light of upcoming new state laws currently under discussion. We also factor in expected future federal regulatory laws in the privacy and data protection areas.  As stated above, TechVision believed improvements in US federal law will ultimately help enterprises gain a consistent set of requirements.

The enactment of the GDPR and CCPA are demonstrating that legislators intend to hold enterprises accountable for their privacy compliance. Figure 1 below illustrates the challenge associated with the growing privacy regulation fragmentation.

Figure 1: The Opportunity for Privacy Law Standardization

Note that this isn’t just a future privacy compliance issue in that it is already a problem for enterprises just trying to comply with both the GDPR and the CCPA. While we’ll focus on CCPA compliance in this paper, enterprises should recognized that there will be a challenging regulatory landscape for a long time.

Past Privacy Regulation

As we’ve said, these challenges are not new, but they are accelerating. The European Union (EU) enacted a Directive 95/46/EC back in 1995 that became more commonly known as the Data Protection Directive. This established the data protection framework for each EU member state to implement through regulations. As implementation was relegated to each member state, enterprises were forced to find ways to comply with the varied requirements.

Within the United States (U.S.), there are a patchwork of laws at the federal level aimed at protecting high-risk data or vulnerable populations. For example, the federal Children’s Online Privacy Protection Act applies to children under the age of thirteen and the Health Insurance Portability and Accountability Act (HIPAA) applies to securing health information and data. Also at the federal level, the Federal Trade Commission has legal authority over banks, insurance companies, and the like and enforces compliance with privacy and security laws applicable to those industries. Even when cobbled together, these federal privacy laws provide fragmented coverage for certain types of health and financial data. There are also several incompatible and conflicting laws for regulating sensitive personal data.

On February 23, 2012, a framework for protecting privacy in light of a digital economy was presented as a new Consumer Privacy Bill of Rights providing a clear code of conduct for companies that use personal information building on the FTC’s enforcement expertise. This framework encompassed how sensitive information is collected, processed and shared by corporate and government entities. This proposal fell short of being ratified in congress – leaving policy and practices to be determined by industry.

As we will discuss, these industry-specific regulatory approaches fell far short of protecting consumer and end user information. This has led individual states to create their own incompatible regulations, such as California’s CCPA.

International Privacy Regulation

Outside the U.S., many countries began national efforts to better protect sensitive personal information, personal information, and personally identifiable information (PII). The following are some key examples:

• In the EU, the requirements outlined in the 98 Articles comprising the GDPR became binding and enforceable on May 25, 2018 and supersedes the Data Protection Directive. In response to awareness of Facebook’s business activities and practices, the UK Parliament released a report recommending the government enact further regulation to alter existing data practices.
• In Canada, the Personal Information and Protection of Electronic Documents Act (PIPEDA) was amended on November 1, 2018 to include mandatory documenting and reporting of data breaches. And, following the GDPR’s lead, guidelines were issued to address obtaining user consent to information usage and sharing.
• In Japan, the Act on the Protection of Personal Information was modified in 2017 to address cross-border data transfers and domestic consent required for use or disclosure of “special care-required personal information.”
• The Israeli Parliament approved the Privacy Protection Regulations (Data Security) as a far-reaching set of data security regulations, akin to the EU’s GDPR. These regulations, effective in 2017, established requirements for data controllers and processers handling personal data.
• In Brazil, the federal Senate approved a Data Protection Bill of Law on July 10, 2018 inspired by the GDPR.

These are just a few examples of the regulatory requirements ‘table’ continuing to be set. To be sure, the GDPR set a lot of this in motion and also provided a sort of ‘blueprint’ for privacy legislation. As we will discuss, even the CCPA (California) ‘borrowed’ a bit from the GDPR.

United States Privacy Regulation

At the federal and state level in the U.S., privacy regulation is occurring in parallel but not necessarily in concert. In the absence of comprehensive GDPR-like federal legislation, numerous states are currently discussing consumer data privacy in subcommittees or have passed privacy legislation.

Federal Level

In 2016, Internet access privacy protections were delineated by the Federal Communications Commission (FCC) in “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (FCC 16-148). In short, FCC 16-148 sets for rules to provide broadband customers transparency about and choice regarding how their data are used and shared by broadband providers.

The most recent federal-level activities involve the efforts of the Consumer Protection and Commerce subcommittee oversight body in which they sought to pick up from where the 2012 Consumer Privacy Bill of Rights left off with discussions recommending GDPR-like privacy laws.

As of February 26, 2019 the US House of Representatives Energy and Commerce Committee held a hearing to discuss the GAO study initiated by the House Energy and Commerce Committee. The net result of these hearings was the dismissal of the notion for employing the CCPA or the EU’s GDPR as the foundational underpinnings for future federal legislation. However, the House found consensus that the present state of affairs is untenable and there is a pressing need for nationwide adoption of security and privacy legislation. This lack of definitive action has led to multiple State efforts to address data protection and consumer privacy regulations.

State Level

With the U.S. federal government struggling to identify a comprehensive and unified approach to consumer privacy protection, individual states are moving forward. From FCC 16-148, numerous states including Alaska Hawaii, Kansas, Maine, Maryland, Massachusetts, Nebraska, New Hampshire, New Jersey, New York, Oregon, Rhode Island, South Carolina, Vermont and Washington have introduced and several have passed specific legislation regarding the collection of personal information without explicit customer consent. Certain states have gone further to prohibit the disclosure, transfer, or sale of a customer’s proprietary information inclusive of browsing history, messaging content, precise geo-location, financial, health, and similar personally sensitive data.

So what is CCPA? In a nutshell, the CCPA provides California Consumers (defined to be individuals in California for a non-temporary basis) with rights relating the collection, sale, or disclosure of their personal information and further rights to prohibit the sale and to access a copy of their data. While the CCPA is important in its own right, its significance will be multiplied with several States introducing similar bills.. These states include Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota, and Rode Island. With this emerging trend, we will see many more States follow.

Current State of Privacy Legislation

Consumer protection laws are here to stay and, in some circumstances, are intended to provide a comprehensive means for protecting consumers’ personal information. The passage or consideration of state-level legislation will hopefully give rise to federal law positioned to mitigate the inconsistencies existing at the state level and reconcile overlapping initiatives.  Additional efforts to coordinate and become compatible at the international requirements would also afford individuals with greater protection and ease the burden on enterprises to comply with various and, at times, conflicting laws.

Inherent Weakness within Current Legislation

TechVision Research believes that two fundamental weaknesses exist within the current state of most legislation. The first is the need for an individual to direct each business of their desire to “opt out” of specific business activities. For example, with respect to the CCPA, this puts a burden on the consumer to be knowledgeable of and explicitly opting-out of all activities involving the sale of their personal information (1798.120 (a)). This leads to the second concern, which requires individuals to read and understand updated privacy policies prior to granting consent to share their personal information – or not.  Typically, these corporate policies are quite lengthy and likely not fully appreciated (i.e., understood) by the average reader. As found today, individuals will most likely grant consent by skipping over the privacy policy because they want to use the service without understanding that such consent implies their data can be shared with third parties, even in countries without the same level of protection.  These are sometimes called “contracts of adhesion” in that most individuals just grant consent.

Current regulation(s) also fall short in that they fail to address emerging identity ecosystems where the individual owns and controls their credentials that contain their personal information. Both GDPR and CCPA still retain the out-of-date notion where each individual goes to an on-line service (e.g., Amazon, Google, PayPal, Facebook, Twitter, and the like) and creates a credential for use with that specific site. Imposing the burden on the individual consumer to manage credentials across the internet is overly cumbersome and fundamentally flawed from a security perspective. TechVision has written about this challenge in several reports, but it should be noted that this also creates major privacy challenges. The   gathering of personal data from each site an individual accesses leads to a personal data propagation and correlation issue that is largely intractable. Making this even more difficult is the rise in artificial intelligence and machine learning to use personal data to ‘tailor’ far-reaching marketing campaigns that begin to smack of unwanted surveillance. To be sure, future regulations will need to address the complex issues found in the use of artificial intelligence techniques that so far been largely overlooked.

TechVision Research believes that future privacy regulation will move the agenda from enterprise/process-centric priorities to those that balance individual consumer or end user requirements – we firmly believe this will be expected by consumers over time. We suggest that ongoing corporate regulatory compliance efforts envisage this individual-centric future and reflect this vision while designing and transforming their existing IT infrastructure. This also ties in nicely to Privacy by Design, a critical component of GDPR, PIPEDA, and other laws.

Problems Introduced By Multiple Competing State Laws

Although some state laws may try to follow the principles found in the CCPA, the compounding effect of divergent legislation and the introduction of future regulatory directives adds complexity to businesses attempting to achieve across-the-board compliance.

Those responsible for ensuring compliance need to maintain an awareness that today’s legislation, including the CCPA, has several ambiguities/contradictions For example, Section 1798.140 (c)(1 A-C) of the CCPA defines a business as:

… a legal entity (e.g. corporation, LLC, sole proprietorship, etc.) regardless of location that conducts business in California operated for profit that collects and processes one or more California resident’s consumer personal information and satisfies at least one of the following criteria…

This “business” definition forces the question of whether states are permitted under the U.S. Constitution to legislate in ways that may be prohibited by the Negative (or Dormant) Commerce Clause, the legal doctrine prohibiting states from enacting legislation that discriminates against interstate commerce.

What happens when the remaining states pass additional conflicting legislation? How will it be decided which law(s) supersede other bodies of law? Just small differences in breach notification rules or data disclosure policies will impose significant undue burdens on companies engaging in interstate commerce. The point here is, that for the foreseeable future, the laws and regulations will be in a state of flux and more than likely subject to complex, costly, and confusing litigation. Given this volatility, the ‘technical implementation response’ will need to be agile, dynamic, and flexible.

CCPA – Consumer Rights, Reach, and Coexistence with Existing Law

So let’s now focus on CCPA with the understanding that this is only one piece of the volatile global regulatory environment that most of our enterprise clients are trying to navigate. The CCPA consumer data collection and privacy requirements become effective on January 1, 2020 and will may be enforced by the California Attorney General’s Office no later than July 1, 2020.

The CCPA’s requirements are documented in Senate Bill No. 1121, Chapter 735 comprised of 18 sections (+9,400 words). The structure of the CCPA involves first presenting a particular consumer’s right followed by a business’ corresponding obligation.  These specific obligations coupled with additional business responsibilities (such as personnel training and communication channels) form the CCPA’s compliance requirements.

Consumer’s Rights and Protections under CCPA

The CCPA provides for six basic consumer rights (note this is under debate as some believe their are as many as 8 fundamental rights and some as few as 5) regarding their personal information (PI), presented first in layman’s terms followed by relevant citations from the Act, to:

1. Ascertain what PI has been collected about them …

where they may request a copy (…disclosing…) of all PI collected (1798.100],

2. Have all their collected information deleted …

where they may request all PI collected and stored be deleted (1798.105 (a)),

3. Ascertain if their collected PI was shared and to whom …

where businesses must disclose the categories of PI collected, categories of sources where obtained, commercial purpose for collecting or selling and categories of third parties with whom shared (1798.110 (a)),

4. Ascertain if their PI has been sold and if so to whom …

where businesses must disclose when a business sells or discloses for business purposes, categories of PI collected, categories of PI sold and the third parties purchasing said information by category(ies) of PI for each third where sold, and categories of PI disclosed for a business purpose (1798.115 (a)),

5. Stop the sale of their PI …

where they may direct a business not to sell their PI or opt out (1798.135 (a)(1)) for at least 12 months (1798.135 (a)(2)(5) or sell if the consumer is less than 16 years of age (1798.120 (c)), and

6. Not be discriminated against when exercising these rights…

Where a business shall not discriminate against a consumer because the consumer exercised any of the consumer rights under this title (1798.125 (a)).

Reach of CCPA

Although the CCPA is directed to California Consumers, it applies to for-profit corporate entities (e.g. corporation, LLC, sole proprietorship, etc.):

• Doing business in California,
• Collecting and processing one or more California consumer’s personal information, and
• Meeting at least one of the following criteria:

(A) Annual gross revenues exceed $25,000,000,

(B) Annually buying, receiving for the business’ commercial purposes, selling, or sharing for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or

(C) Deriving 50% or more of their annual revenue by selling personal information.  Cal. Civ. Code Section 1798.140(c)(1).

Cal. Civ. Code Section 1798.140(c)(2) extends the reach of the CCPA to any entity that either controls or is controlled by or shares common branding (e.g., shared name, service mark, or trademark) with a “business.”

Lastly, the Act also contains portions directed specifically to service providers, third parties, and persons as defined by the statute.

Relationship and Priority with Existing Laws

There are certain corporate business entities that not subject to the CCPA as they fall under existing federal legislation that supersedes the California legislation.

The California Civil Code (Section 1798.145) describes how the CCPA relates to existing federal, state, and local laws and enforcement agencies for certain entities subject to other privacy, security, and breach notification rules as a means to mitigate conflicts. It specifically states that the CCPA shall not apply to:

Medical information (A) or provider of health care (B) governed by either the [California] Confidentiality of Medical Information Act or the federal Health Insurance Portability and Accountability Act of 1996, and (C) certain clinical trials,

(d) Consumer reporting agencies limited by the federal Fair Credit Reporting Act,

(e) PI collected, processed, sold, or disclosed under the federal Gramm-Leach-Bliley Act and the California Financial Information Privacy Act, and

(f) Pursuant to the Driver’s Privacy Protection Act.

It is important to note, however, that businesses subject to the above-listed statutes may also be required to comply with the CCPA for the personal information not covered by those listed statutes.

GDPR Data Subject vs. Consumer CCPA Rights

The GDPR mandates specific controls and facilities for managing personal, or ‘subject’, data (i.e., information) directed at furthering individuals’ rights to control their information, where this control includes the ability to:

• Access and review their data,
• Assign how their data may be used (e.g., restricting automated processing, managing the use of website cookies especially for social media and cloud based services),
• Invoke objections,
• Recertification,
• Blocking and erasure,
• Portability (including a physical copy),
• Transparency regarding how an organization uses their information,
• Grant and withdraw consent,
• Right to be forgotten (e.g., erasure of links to data and copies), and
• Disclose when breaches occur.

A summary of the individuals’ rights that are directed towards giving back control of their personal data include (not intend as a substitute for nor exhaustive, but provided as a guide):

1. Data Subject Rights [refer to Articles 12, 15, 20] specifying (a) data portability involving how to share/transmit data between controllers and data subject, (b) data erasure…including links to and copies of, (c) processing request to access and review their data, and (d) restricting data use while complaints/discrepancies are being resolved.
2. Right to erasure [Article 17] sometimes referred to at the ‘right to be forgotten’ specifying handling the erasure to links, copies and other forms of replication regarding the data subject,
3. Consent [Articles 6, 7, & 8 (children)] specifying that an individual’s must grant consent and provisions for withdrawal of said consent,
4. Personal Data Breach [Articles 33 & 34] specifying that notifications of breach must be delivered within 72 hours and that a breach register is maintained,
5. Wholly Automated Decision Making [Articles 6, 9, 21, 22, & 89] delineates additional thresholds to the body of requirements in the situation where location, movement, health, and personal preferences data are processed; and specifies that the use of ‘sensitive personal data’ is prohibited without explicit individual’s consent unless governed by applicable EU or Member State law, and
6. Fair Processing Information Notices [Articles 13, 14, & 30] establishing concise, transparent, intelligible, and presented in an easily accessible form that information be made available and delivered to data subjects detailing processing operations and there purposes; storage period for the subject’s data; clearly state that consent may be withdrawn; delineate any wholly automated processing; and export of the subject’s data.

For a more in-depth look at the GDPR, please see TechVision’s The New European Privacy and Data Protection Regulations – Compliance or Consequences report.

In a nutshell, the GDPR is directed towards data security where the CCPA targets data privacy. However, certain specific concepts called out in the GDPR are missing from the CCPA, including:

• Data protection impact assessment (Article 35),
• Demonstrated compliance or principle of accountability (interlinked throughout),
• Data portability (Article 20),
• Distinction between ‘data’ Processor (Article 28) and Controller (Article 24),
• Data Protection Officer (Article 37) and their tasks (Article 39), and
• Data protection by design and by default (Article 25).

Nevertheless, there are certain common underpinnings found in both the CCPA and GDPR regulations include:

• Obtaining consent,
• Disclosing what data collected and for what purpose,
• Disclosing how the data is processed,
• Timely breach notification,
• Right to be forgotten (GDPR) or deleted (CCPA), and
• Prohibit sale (CCPA) or limit types of processing (GDPR).

These common underpinnings should be given particular consideration as you build out your enterprise privacy and data protection program.

GDPR Compliance: High-Level Action Plan

Companies may seek to leverage their GDPR compliance efforts (since GDPR came first) to achieve compliance with CCPA.  While the requirements are not identical, a few of the higher-priority GDPR compliance activities that may overlap and support CCPA compliance include:

• Appointing/Staffing a Data Protection Office role;
• Conducting a Data Protection Inventory Assessment (evaluate available commercial off-the-shelf (COTS) tools), for example documenting what data is collected and held, from whom and where it came from, to whom and where it is disclosed, how it was obtained, and the legal basis for each type of processing performed on the data;
• Developing an education and training plan supported by updated company policies and procedures, to ensure staff understand how the rules impact their role, understand what they need to do to secure each client’s personal information, and how to respond to data subject requests;
• Writing specific contractual terms into supplier agreements;
• Orienting the current organizational structure in accordance with regulatory and industry-specific guidance;
• Introducing Privacy-by-Design into ongoing IT infrastructure development activities (especially at access points);
• Developing a robust Access Policy;
• Procuring or developing solutions to address the need for centrally-managed administration for identity and access capabilities;
• Establishing a Data Loss Prevention (DLP) Program, including the acquisition of appropriate technologies;
• Prepare and update the data security breach plan to explicitly address the requirements;
• Procuring tools for governing unstructured content stored off premise;
• Evaluating potential Governance, Risk, and Compliance (GRC) solutions applicability to meeting inventorying, management, audit, and reporting needs;
• Developing requirements for and evaluating potential data encryption and other technical security solutions;
• Investigating and examining current supplier product roadmaps to understand how they will incorporate support for applicable privacy legal requirements; and
• Evaluating COTS tools for generating and distributing disclosure content regarding personal information collected, processed, and stored and purposed for acquiring consent from the individual.

In the end, the goals of protecting user data, requiring explicit consent for the use of this data and properly communicating and educated individuals is simply a recipe for good data protection and privacy hygiene  – and they’d be correct. These are recommendations similar (if not identical) to those we have been giving our customers for years as best practices for improving the enterprise’s security posture, better protecting personal data and mitigating risk.

CCPA Definitions – The Devil is Buried in the Details

But such obvious prescriptions as those listed above are not clearly incorporated in the CCPA; however, they may be included in the California Attorney General’s pending regulations to the CCPA. To get a good understanding of the CCPA’s requirements, begin by looking at Cal. Civ. Code Section 1798.140 as significant underpinnings of the statute are presented in part by these definitions. Of the 25 terms defined in this section, understanding the following short list of terms is recommended in order to fully appreciate the requirements within the entirety of the statute:

• Business
• Business purpose
• Collects, collected, or collection
• Commercial purposes
• Consumer
• Device
• Personal information
• Processing
• Sell, selling, sale, or sold
• Service provider
• Third party

CCPA ‘Reasonably Accessible’ Construct

There are a number of underlying constructs within the CCPA’s Legislative Counsel’s Digest. Perhaps the most significant construct is the expectation of “reasonably accessible to consumers” — meaning that where the CCPA requires a business to engage with California Consumers, the business must do so in a manner reasonably understandable and accessible to such California Consumers.

The “reasonably accessible to consumers” clause may be found under Cal. Civ. Code Section 1798.130, where:

“ (a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

(1) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.”

(Emphasis added)

And under 1798.135, where:

“(a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:

(1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.

(2) Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:

(A) Its online privacy policy or policies if the business has an online privacy policy or policies.

(B) Any California-specific description of consumers’ privacy rights.

(3) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.”

To gain an appreciation of the specificity of these compliance requirements, we can look to the 2019 French data protection authority’s GDPR enforcement activity against Google. The French data protection authority (also known as the CNIL) alleges that Google’s customer notices including how to exercise their GDPR-provided data subject rights were not easily accessible to data subjects themselves. The French data protection authority alleged that this information was spread between various options and connections, required activation of a special setting, and completion of several steps before a data subject could initiate a GDPR-provided request resulting in the process being unclear and difficult to implement.

The reason for presenting this example is to explore and discuss how this came into being. In short, Google comprises many application-specific nodes realized in the cloud that came into play through various business acquisitions. These distributed nodes were never fully linked and integrated together in a cohesive, centralized, and privacy-centric way.

Simply put, if your organization’s information technology underpinnings where built or assembled in a manner similar to Google’s, careful examination and attention to architecting a compliant solution will be paramount in realizing compliance and mitigating risk.

Recommendations

The regulatory stakes are getting higher for large enterprises in the privacy and data protection areas.  Businesses in violation, or noncompliance, with these emerging laws are subject to injunctions and liable for civil, and even criminal, penalties. As more privacy regulations are enacted, companies will need to be responsive to these changes. Being in compliance with privacy laws is a global, company-wide undertaking to ensure responsive policies, processes, procedures, and training are realized in day-to-day operations. This is an emerging area of focus for most large enterprises and will continue to increase in importance over the next several years. This is due to the combination of the new laws and how organizations are expanding their Digital Enterprise programs. The combination of tighter regulations and more aggressive digital programs is a perfect storm that needs to be managed.

In order to realize compliance with the current and upcoming data privacy requirements, TechVision Research recommends companies embark on the following best practices.

Develop an Awareness of Future State, Federal and International Laws

It is anticipated that most large organizations doing business in California will also conduct business in one or more EU member states and will be subject to both sets of regulations. It is also anticipated that many companies doing in business in California also conduct business in one or more states within the U.S. and either are or will soon become subject to additional state-level regulation. This complexity will continue to escalate over the next 10 years. TechVision Research recommends that all large organizations; even those that are not subject to the GDPR requirements become keenly aware of the these regulations and have a well thought out privacy/data protection strategy as we expect future  state/local, federal, and international law to largely adopt the GDPR as a foundation. .

Get Your Legal and Privacy Teams Involved

General Counsel and privacy teams should review existing laws to determine the privacy, data protection and security requirements applicable the business.  Once a core set of requirements is identified; administrative, organizational, and technical compliance controls may be implemented. Key areas of focus may include:

• As quickly as possible assess your General Counsel’s interpretation and position with respect to the breadth and extent of CCPA applicability to their business.
• Begin leveraging current technology underpinnings to address CCPA concerns by constructing carefully-crafted agreements with existing and future hardware, application software, and other service providers to ensure that applicable CCPA requirements are addressed.
• Review and update existing privacy policies and procedures including notice/end user (license) agreements and externally-facing privacy notices. Provide the IT department suitable language covering CCPA-provided rights and definitions and instruct which consumer-facing web pages need to be created or modified as appropriate, including incorporating CCPA-required links, where consumers may exercise their CCPA-provided rights.

Enable a Data Privacy Program (not a Project!)

This title is key: Enterprises need to move from a reactionary mode when it comes to data protection and privacy and be proactive in developing a sustainable enterprise-wide program. GDPR was the tip of the iceberg; this will escalate over the next decade and these challenges can only be properly addressed by a well thought-out and carefully architected Privacy program.

Establish and manage the internal privacy compliance activities as a formal company program by assigning a lead (potentially adopting applicable tasks and responsibilities as presented in Articles 37 and 39 for a DPO in the GDPR), building a team, creating a budget, formalizing a plan of action reflecting the General Counsel’s position, and educating the team members and employees on how to handle personal information going forward.

Conduct a Thorough Data Inventory and Gap Assessment

After designating a program leader, most programs should start by gaining a detailed understanding of the PII you have;  what data is collected, from and by whom; where, how, and by whom it is used (i.e., processed); and where it moves and resides (e.g. database systems). This may be a good time to review your overarching Business Data Architecture, but certainly a focus on PII is a good starting point.

This inventory should cover all personal data while in-transit (data transferred off-premise) and data-at-rest during the course of business operations. This should include examining entity relationship diagrams and database schemas and/or using a machine learning tool such as a data loss prevention (DLP) tool (e.g., BigID that finds and analyzes identity data across structured, unstructured and big data sets), but it is paramount to first identify what data you collect, where it is stored, and how it is processed. This inventory assessment needs to include documented results in order to develop and implement the necessary administrative, organizational, and technical controls .

Once a company’s personal information is inventoried and mapped, it is important to conduct a thorough analysis to identify gaps between the regulations and your current state.  This will provide the foundation for  defining the necessary changes and the initiate the design and implementation work.

Exercise Appropriate Data Protection

One such mitigating control to consider involves protecting personal information within and outside of your organizations boundaries. A good starting point is to establish a Data Loss Prevention (DLP) program to formalize policies, processes, and tools to establish DLP as a key component of your IT infrastructure.

From this program, a DLP tool or set of tools may be procured, installed, and operated to discover, monitor, and protect (e.g., prevent data leaks from the cloud, employee email, and so forth) outbound unstructured data from exposing personal information. In concert with DLP activities, will be means to procure and install tools for governing unstructured content stored off premise.

Another initial stepping off point for protecting personal information will involve developing requirements for and evaluating potential data encryption solutions to realize the need for deidentifying, pseudonymizing, and encrypting personal information stored in the data layer. In TechVision’s recent report “Decentralized, Blockchain-Enabled Identity Services Gain Traction” some improved data protection and consent models are addressed. It is also important to understand the specific business necessity and consent requirements for all PII your organization is collecting.

Address Authentication, Authorization and Governance

Another mitigating control is to implement enterprise-wide Identity and Access Management (IAM) infrastructure, policies, processes, and governance.  Key IAM considerations as we have touched on in a dozen or so other reports and key activities supporting compliance should include:

• Careful examination of your existing access and authorization management framework and proactively addressing authorization gaps to close exposures (governance) and enhance and reinforce access policy.
• Developing or procuring solutions to address the need for centrally-managed administration for identity and access capabilities, including tools that fall under the Identity Governance and Administration (IGA) umbrella. These tools provide robust access review, request, and certification for access privileges to sensitive information realms, applications, and data repositories. For more information on IGA, please see the TechVision report “Designing and Implementing an Effective Enterprise Identity Governance and Administration Program”
• Properly vetting and training employees (and contractors, where appropriate) and install Multi Factor Authentication (MFA) and anti-phishing technologies where needed to prevent virus and malware infiltration from email. For more information on MFA, please see the TechVision report “Multi-Factor Authentication (MFA): Enterprise Strategy and Market Assessment”
• Deploying privileged access management (PAM) tool(s) to better ensure system, application, network, and database administrators are properly credentialed, monitored, and revoked. For more information on PAM, please see the TechVision report “Privileged Access Management: More Necessary Than Ever as Cloud-Shift Intensifies”
• Properly vetting customers where necessary and considering what procedures are required to validate and assess received data subject requests. For example, consider the various age requirements regarding a consumer’s ability to grant consent. Does your business collect and store date of birth information today as part of the contact information profile? How will your business vet individuals to ensure they are authorized to act on behalf of another individual in terms of granting consent?  What CCPA-provided defenses will be contemplated before acting on a consumer request?

Evaluate Processes, Procedures and Support Systems

Some additional areas include starting with ‘privacy by design’ principles when architecting support systems and their underlying applications including:

• Forming an incident response team and appropriate procedures to address incident and breach detection/identification and corresponding mitigation, notification, and reporting,
• Training employees on how to identify, mitigate, and report errors in day-to-day operations and activities,
• Securing “Bring Your Own Devices” used by employees (and contractors, if applicable) and managing lost and stolen devices and security fobs, and
• Implementing an enhanced consent capability to all front-end customer and employee business processes known to collect personal information.

Enable Consumer Support

The potential for increased interaction with customers when enabling new privacy protection measures is to be expected. Some key considerations for managing customer support more smoothly include:

• Creating toll-free telephone, email addresses, and/or web portals to receive consumer requests and train operators of such outlets accordingly (refer to CCPA 1798.130 (a)(6)) & 1798.135 (a)(3)). Position customer support operators to use the same web pages as available to on-line consumers to capture verbal requests submitted by phone. These ‘over-the-phone’ requests should be tracked by an additional field to record the operator ID sufficient for audit and tracing purposes.
• Anticipating a potential increase of verbal (over-the-phone) inquiries during the first weeks of enforcement and estimate and train staffing accordingly. Similarly, appropriately estimating expected web page hit rate volumes will be helpful to ensure sufficient network bandwidth and front-ended server performance.

Measure, Test and Demonstrate Compliance

TechVision strongly urges its clients to begin creating formal test plans to measure and demonstrate compliance with CCPA both now and periodically over time.  The CCPA requirements are not (in our opinion) logically laid out and related requirements appear to be randomly distributed throughout the statute; thus, constructing test plans/procedures early on will bring structure and organization to the build of a CCPA compliance program and ongoing testing will determine and demonstrate effectiveness of such program.

Measuring is fundamental and required by GDPR to be able to ‘demonstrate compliance,’ however it is not explicitly stated within the CCPA. Regardless, TechVision Research strongly suggest businesses adopt the “demonstrate compliance” mantra presented under the GDPR. For example, many of today’s existing IAM underpinnings lack sufficient capabilities for identifying and protecting personal information as well as the ability to audit and report on access and use of assets. Although not directly required by the CCPA, implementing demonstrative measures of controls is fundamental to realizing, promoting, and proving compliance. These are areas where improved technical approaches to data security, such as DLP, data encryption, use of distributed ledgers and auditable access control policies/IGA can provide demonstrated compliance..

From a higher-level, companies must consider how they will test and measure whether they are in compliance. One exemplary compliance requirement, buried within the definitions presented in Cal. Civ. Code Section 1798.140(r) requires businesses to ensure personal information cannot be attributed to an individual consumer, where:

“(r) “Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.”

(Emphasis Added)

Businesses relying on pseudonymization techniques to protect individual consumer’s data must ensure such information remains separate through all processing and operations. How will this be tested and demonstrated across the entire suite of IT processing platforms for data at rest, in transit, and exported?

To reiterate, one potential benefit resulting from implementing formal test plans and adopting the GDPR’s “demonstrated compliance[1]” may emerge down the road when required to respond to California Attorney General’s Office enforcement actions or private rights of action.

TechVision Research believes there is great potential for consumers bringing private rights of action under the CCPA based on perceived noncompliance. Having a fully-implemented compliance program along with a complementary set of test procedures may go a long way in thwarting litigation and enforcement actions.

Testing goes beyond just measures directed toward evaluating regulatory compliance prior to the July 1st, 2020 enforcement date. For example in order to ensure ongoing compliance, businesses will need to come up with a means for managing the queue of incoming consumer requests to ensure that the 45-day response  requirement is being met on an ongoing basis for both web site and telephone submitted actions.

Follow Industry Leaders

Companies large and small are being challenged by the dramatic increase of privacy regulations at the federal, state, and international level and numerous future regulations are in the pipeline or under consideration. It will be imperative for all businesses to build an awareness of how others organizations are addressing data privacy and leverage insight gained from their expertise and to examine what tools are available for supporting architectural, design, and operational initiatives including:

• Data Architecture and Strategy (e.g. management, classification, etc.),
• Capability modeling and prioritization, and
• Outsourcing various aspects (e.g. data encryption at rest and in transit) to cloud services.

A good way to follow leaders (or assist in the leadership process) is to join and participate in professional groups such as the International Association of Privacy Professionals (IAPP) and various industry-specific groups that are focused on data and consumer data privacy.

Make Use of Helpful Data Privacy Facilitating Tools

Appendix A is a short list of tools offered by companies directed to facilitating and ensuring regulatory compliance regarding an individual’s personal information. It discusses a few potential tools currently offered by suppliers, including:

• Microsoft Dynamics and Compliance Manager,
• RSA Archer governance, risk, and compliance solution, and
• SAP and PeopleSoft pseudonymization and encryption.

The global privacy regulation landscape is in flux – and is likely to remain that way for many years. Burying one’s head in the sand is not a viable strategy for dealing with this fact. The newly enacted CCPA will become enforceable in just under one year. Many other states are legislating and regulating in this space, as well. When considered in combination, the privacy landscape is quickly becoming even more complex, burdensome, conflicting, and perhaps constitutionally problematic.

Regardless, with expected limitations and problems that may exist within these regulations, businesses can no longer afford to overlook or postpone tactically and strategically addressing the need for data privacy in an Internet-connected world.

About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have it. We know major technology initiatives involve many different skillsets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the hype from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors when they carry out a product and strategy review and assessment, a requirement analysis, a target market assessment, a technology trend analysis, a go-to-market plan assessment, or a gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About the Authors

John Myracle is a technical specialist with a broad technology and diverse business background. Mr. Myracle combines knowledge of intellectual property with product conceptualization development and delivery. Experience includes communicating business, financial, and technical objectives between legal, sales, marketing, and development teams for banking, communications, optical transport network management, security, mobile, and medical device applications. Patent experience includes drafting 100+ applications and monetization.

Mr. Myracle is a seasoned system/solution architect, product manager, and senior consultant with 35+ years of experience at Booz-Allen & Hamilton, IBM, and Southwestern Bell Corporation. Core focus areas range from satellite vehicle operations and electromagnetic pulse hardening to European Union GDPR compliance and smart contracts on blockchain.

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. Core areas of focus include identity and access management, blockchain, Internet of Things, cloud computing, security/risk management, privacy, innovation, AI, new IT/business models and organizational strategies.

He was President of Burton Group from 1999 to 2010, the leading technology infrastructure research and consulting firm. Mr. Rowe grew Burton to over $30+ million in revenue on a self-funded basis, sold Burton to Gartner in 2010 and supported the acquisition as Burton President at Gartner.

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM.  Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and security, and identity management consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Appendix A: The Role of Technology in CCPA Compliance

Most organizations are still in the process of evaluating CCPA requirements and assessing the impact on their organizational structure and mechanized systems.

A number of useful technologies are available for helping organizations address CCPA privacy measures. Two specific examples include Microsoft Dynamics and RSA Archer, technology solutions considered as “governance, risk, and compliance” (GRC) offerings. Dynamics may be a good solution for organizations that have significant investment in other Microsoft infrastructure and solutions. RSA Archer provides a point of comparison, as it is generally regarded as the premier GRC solution. Note this is not an exhaustive vendor short-list, more an example of how emerging technologies can be used to help achieve compliance with GDPR, CCPA and a host of other regulations.

Microsoft Dynamics and Compliance Manager

Cloud-based Microsoft Dynamics and Compliance Manager provides an underpinning for CCPA compliance activities whereby the commonalities between the two (e.g. access and erasure) are met. Microsoft’s Compliance Manager’s embedded GDPR assessment tool can help manage and automate at least parts of this process. MS Dynamics customer relationship management platform can be augmented with web applications such as Truyo to automate consent, disclosure, and opt out requests.

Specifically, Microsoft has stated that their GDPR contract terms governing processing and security of personal data are in compliance with the GDPR rules and requirements. Microsoft claims that their contract terms will govern transfers of personal data to countries outside of the EU, provide for individuals to control access to their personal data including obtaining a copy of their data, correcting/amending/deleting their personal data, and so forth. Presently contractual terms or committed obligations in this area are only made available to Microsoft’s current enterprise customers.

Microsoft has also announced a commitment to support GDPR rules in a compliant fashion for their suite of cloud applications including SharePoint.

RSA Archer governance, risk, and compliance solution

RSA Archer is another offering that can help in CCPA and GDPR compliance. It is a mature governance, risk management and compliance (GRC) product that provides for IT and security risk management, audit management continuity, and disaster planning (as resiliency is a fundamental component within the GDPR), and like “compliance-directed” management tools is currently widely adopted in marketplace. GRC supports periodic reviews that will help to demonstrate and self-verify compliance.. These data governance tools are especially useful in performing an information audit to document a master data catalog with metadata relating to:

• The types of data collected
• Internal data ownership
• Data shared with third parties
• Where the data was acquired from
• Current controls in effect

Appendix B: October 2019 CCPA Updates

Like most government regulations, there will be updates and changes over time. The following are some of the more recent additions to CCPA signed by the California Governor in October.

Here’s the full list of the new laws that amend the CCPA:

• CLARIFYING AMENDMENTS & EXEMPTIONS:  Assembly Bill 1355 exempts de-identified or aggregated consumer information from the personal information definition; it creates a one-year exemption for certain B2B communications or transactions; and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).
• DATA BROKER REGISTRATION:  Assembly Bill 1202 requires data brokers to register with the California Attorney General.
• EMPLOYEE EXEMPTION: Assembly Bill 25 changes the CCPA so that the law does not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.
• CONSUMER REQUEST FOR DISCLOSURE METHODS: Assembly Bill 1564 requires businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number, but provides that, for a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, is only required to provide an email address for submitting CCPA requests.
• VEHICLE WARRANTIES & RECALLS: Assembly Bill 1146 exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
• PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The amendment also clarifies that the definition of “personal information” excludes de-identified or aggregate consumer information.
• Data Breach Notification:  In the context of data breaches, Assembly Bill 1130 revises the personal information definition to add specified unique biometric data, tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to those for driver’s licenses and California identification cards to these provisions. The amendment also authorize inclusion in the data breach notification involving biometric data, instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on data for authentication purposes.

[1]Also referred to as the ‘principle of accountability’ requiring ‘data controllers’ being responsible for ensuring all privacy principles (accuracy, confidentiality, data minimization, fairness, integrity, purpose and storage limitations, and transparency) are adhered to.