California’s Tough New Privacy Law and Its Biggest Challenges

The California Consumer Privacy Act has been adopted, but the largest U.S. privacy regulation fails to address how companies can know where their data is.

The California Consumer Privacy Act is being touted as one of the strongest privacy regulations in the U.S. enacted so far. However, though the CCPA was adopted on January 1, 2020, the act still has several loose ends and privacy loopholes that need to be fleshed out.

At a high level ,the CCPA mandates strict requirements for companies to notify users about how their user data will be used and monetized along with giving them straightforward tools for opting out.  However, one of the bigger challenges with the CCPA is the question of tracking the location of that user data, Terry Ray, SVP and fellow with Imperva, tells Threatpost.

“That might be well out of sight outside of the database that’s being sold, it could be a marketing database or a particular one-month long program that gave some kind of special promotion that people sign their names up to and it gets stuck in the database. It’s hard to find that stuff, particularly the older it is,” he said.

Listen to the full conversation below (or download direct here) between Threatpost and Ray regarding the pros and cons of CCPA – as well as what the groundbreaking privacy act means for U.S. security regulation as a whole.

Below is a lightly-edited transcription of the podcast

Lindsey O’Donnell-Welch: Welcome back to the Threatpost podcast and happy new years to all of our listeners. It’s only been a week and already there are all kinds of data breaches and crazy security stories that we’re seeing in 2020. But I wanted to talk about one news item in particular, which is a landmark privacy rights U.S. bill that took effect on January 1, 2020, to really start off the new year there. And that is the California Consumer Privacy Act, or CCPA, which was adopted in California. So joining us today to talk about the CCPA and the implications of this new rule on businesses and on regulatory efforts nationwide, is Terry Ray, and Terry’s a senior vice president and fellow at Imperva. And he’s going to chat more about CCPA. So Terry, thanks so much for joining us today.

Terry Ray: Of course. Thanks for having me, Lindsey. I appreciate it.

LO: So CCPA is one of the strictest privacy laws in the U.S. that’s been adopted thus far. And I know, Terry, from a high level that the law mandates strict requirements for companies to notify users about how their user data will be used and monetized and giving them straightforward tools for kind of opting out. But can you tell us a little bit more about the ins and outs of the CCPA and really what it means for businesses from a high level?

TR: Sure, yeah, absolutely. You know, it’s interesting as you watch all of the different regulations begin their rollouts, their maturity and their growth through the years. Even if you start with PCI and HIPAA, and on and on… all the way through, most recently GDPR, and now CCPA. We look at these types of regulations, you see shadows of all the regulations that came before it in most of them. So what you see a lot of in CCPA are a lot of the same sorts of things we saw just a few years ago when GDPR transformed to be working for America.

So CCPA changes a little bit of it in that CCPA says, look, you know, we’re not asking everybody to comply to this, we’re asking people that are going to store what California considered a reasonable amount of data – 50,000 records – if you store more than that you’re relevant to CCPA, you have to start thinking about how am I going to protect that data, monitor that data, find that data and ultimately deal with processes around the potential breach of that data. So there are a lot of things that go into an overall regulatory compliance practice within an organization. But for those organizations that have already done regulatory compliance around consumer information, they’re probably in a pretty good position to roll right into CCPA without a lot of additional effort, both from a process perspective, potentially even hiring what even GDPR said was a data privacy officer or someone similar to that kind of role, somebody is ultimately responsible for that data. And ultimately, the technology that falls behind it, the ability to really be able to find and know where my data is, who’s accessing it, why they access it, should they have access to that, etc.

When you bring all those things together, that really is the gist behind a Privacy Act, whether it’s consumer financial records, or whatever a Privacy Act is all about being able to build the processes, identify where you have whatever that data is, where it exists, where your risks might apply, and being able to build controls and monitoring around those risks. So when you laid into those areas, it’s process information and technology that it falls into those categories.

LO: Yeah, that’s a really good point. And you know, when you look at kind of the requirements that CCPA mandates, such as you know, companies disclosing to consumers the information they collect and why they collect it, and you know what, what third parties they share it with as well as kind of honoring consumer requests to have their data deleted, these seem like pretty broad and kind of standard, or should be standard, requests at this point.

If you’re already doing a good job with privacy, then the CCPA seems like it should be pretty easy to be able to follow in terms of compliancy. But what was interesting to me about the news is that, you know, even though it’s been adopted right now, it’s going to take a lot of time for regulators to kind of sort out the implications of this new law and how it’s going to be enforced. And I know that even though the bill officially took effect January 1, I think it was the California Attorney General, who said that the law probably won’t even begin to be truly enforced until July 1, 2020. So I mean, what kind of wrinkles are existing that really need to still be fleshed out? And what challenges are you seeing for businesses that, you know, they kind of need to fulfill in terms of compliancy?

TR: Sure, I think the first point I hear when I read that kind of information from the Attorney General would be, I think July 2020, is very optimistic for them, when they think about we’re going to start enforcing it. And typically what we’ll see, – and that’s not to say they won’t enforce it, they will – But what we’ll see is they will enforce it sparingly and only in the most negligent type cases.

They want to make people aware, yes, there’s there’s a little time to get ready. And we will really be looking at this. But there are many, many companies in many companies that are not remotely ready for this. And as I said earlier, there are some companies that have already done GDPR, I get that, but a lot of these companies that have even done GDPR has only done the basic part of GDPR. And there are a lot of companies that hadn’t even done that because to your point, the regulators aren’t fully equipped yet with what types of questions can I ask? When I get an answer of “no” to one of my questions, is that something that can be easily solved? Or how long should it take a customer to solve that? And in some cases, I see some regulators giving a gap analysis or a particular audit finding as much as two or three years down the road for a customer to actually solve that gap. So we find an audit finding customer can say, “Well, okay, I’ve got two years to fix this. I’ll deal with it later.” So each regulators a little bit different.

The challenges that I see most frequently here are going to be around the items that you noted: The right to be forgotten. The right to note everywhere where your data is actually used within an organization. Whether you whether or not your data is sold or not, of those three is probably the easier one, only because a company’s making money off of that data, so they know what’s being sold and what isn’t. So there’s a monetary link between something they had and something they sell, so there’s going to be some trail of it.

But the other two, “where is your data anywhere in the environment and if I want it deleted, I want proof that it’s been deleted.” Well, that might be well out of sight outside of the database that’s being sold, it could be a marketing database or a particular one-month long program that gave some kind of special promotion that people sign their names up to and it gets stuck in the database. It’s hard to find that stuff, particularly the older it is. It doesn’t really matter how old the data is, or how old the database is, companies have to go out find all of those instances where this private data exists on consumers, and A) know about it, B) monitor it and ultimately give customers see the the ability to identify that exists and delete it. That’s probably the furthest out that companies are right now of the able to truly give people the right to delete data. Because you might anticipate, if I’m going to give you a customer the ability to delete data, I probably am not going to give them a web portal that they can go into and proactively delete their own data. There will be a written process, most likely that they have to go through, go through a program and their data will be deleted. And there’ll be some proof analysis of that.

You might imagine  – a part of my businesses is application security – it would be one of the last things I want to do is to give the world access to delete my data, all that has happened, some vulnerability or some issue. And now people have the right to delete all of my data, they could delete my business. So there’s risks involved in everything that we have here, the more that companies expose their internal data, and there’s a risk to consumers as well based on the type of data that people have. So the challenges that companies have here is that they have to be able to work within the data. And as broad as that seems, that’s just something companies have not done in the past very much, is working within the data with the rare exceptions of where companies are forced to within regulation. So your GDPRs, PCIs, and others. Because this is a new one, the likes of Microsoft’s and Amazon’s and Oracle’s, these kinds of things. They’re multinational global companies. They’ve done their due diligence, they have a number of auditors, they’ve looked where they had this data, and they’ve been able to satisfy auditors. Even in a lot of those companies, I would argue they probably even don’t know really where all their data is. But if they were asked the question, do you know where my where your private data is? The answer is yes, I know it’s at these three databases. If there’s a follow on question, is it possible that that private data could be anywhere else in your environment? The answer is probably it could be elsewhere, but I know for sure it’s in these three, which one of those two, and it’s a rhetorical question, which one of those two satisfies the auditor? And the answer is, it depends on your auditor. Some auditors will say, “okay, you’re telling me it’s in those three database and you’re telling me that’s where it is? Okay, great. That’s good enough for me.” I think the more savvy auditor ask, “you’re telling me, it’s those three databases. Can you prove to me it’s not in 5,000 other databases?”

And that’s the harder question because most companies haven’t gone that extra mile to really scan the entire infrastructure and build controls around where else that may data might actually be.

LO: And to your point, just the amount of data sprawl that we’re seeing all across the ecosystem. I mean, looking back in 2019, there were so many database exposures, where it was just data that was floating around from companies that had been working with another company and then that company closed and kind of left these databases open. I thought those really went to show just this amount of data that is kind of floating out there in the middle of nowhere. And so it’s really a good point. But you were talking about GDPR. And I know that there are a lot of correlations being made between CCPA and GDPR, or the General Data Protection Regulation that was enacted in the EU in 2018. So is it would you say that it’s fair to compare these two efforts? Or is that kind of like comparing apples to oranges in terms of the the breadth and scope there?

TR: I’d say they’re very, very similar and I think companies will handle them similarly. So you know, you look at some of the companies I named a minute ago, right, any any multinational global company that has had to adhere to GDPR. Most of the effort they’ve already done most of the controls they’ve already put in place will apply directly to CCPA. There will be some little changes just here and there, right? There’ll be some things that they have to notify GDPR of, but because of the size or the extent they might not have to notify CCPA. And there might be others where CCPA has to be notified and GDPR doesn’t. So, you know, in, you know, for example, you don’t need to notify GDPR but wasn’t a European Union citizen. Same thing is true of California. However, I think one of the one of the advantages consumers take away from this is that generally companies don’t break up their data, particularly their consumer data based on country or state. I mean, you’ll have a tag in a database that says Terry Ray you live in whenever you live, Timbuktu. But at the end of the day, that’s in the same database as John Smith who lives in you know, whatever, Europe or London or wherever it happens to be. And so the advantage that consumers have is that there’s already controls on private data, i.e., GDPR, that same capacity to be able to handle GDPR is already being done, it’s likely to be the exact same report, they can go straight over to the CCPA auditor, because what’s going to happen is a company’s going to say, Look, you’re only asking for my California residents’ proof of audit and awareness and security, but I’m going to just benefit all my customers. So companies will say we’re taking the extra mile, and we’re not just going to do it for the California, we’re just going to do it for everybody. The reality is it’s significantly easier for a company to do it for everybody, then it would be for them to go out separately, and say, let’s go find all the people that live in California and just do it for them right there on the same database. So it’s one of these serendipitous collisions where the right thing for the consumer actually is the easiest and least costly thing for the for the business. So it winds up getting done and it fits both.

LO: Right, and it might as well kind of slap the PR spin on it too and say we’re just going to do this for all our customers to benefit everyone.

TR:  Right, right, right.

LO: I remember kind of the kind of jumping through those hoops of location was a big deal for GDPR. And now with CCPA, we’re seeing it’s a statewide level regulatory effort. And I know that’s brought up a bunch of debate about kind of state versus federal level regulatory efforts in the US. Is this something that you think we’ll see more of a debate over in 2020 in the coming year, particularly as there are more different types of federal privacy laws that are going to be looked at or what’s kind of the state of privacy laws when it’s state to state versus federal in the U.S. right now?

TR: Well, I mean, today most of the the regulatory compliance, federal regulatory compliance is just handled by the FTC. So typically, what you’ll have is you have a breach. The FTC comes in and asks very simple questions: What was taken? And if your answer is I don’t know, but there’s proof that something was taken, if the answer is I don’t know, then the FTC asks a second question, which is how much do you have? And you say, well, I’ve got whatever, a million records. They say, if you can’t tell me it was five or 10 or 100 or 1000, then it was a million and that’s what we’re going to start with in terms of you know, financial fines, notification, you know, you get to send a physical letter to people, 50 cents a stamp – I think a little more these days – 50 cents a stamp for envelopes, it becomes very costly for companies. So the federal is a little gray area. I think California has set a good example for what other states need to look at. I personally believe it’s a little ways off the federal will start to take any action. California generally tends to be a little forward thinking in, we call it regulatory compliance. For example, you know, you see, you’ve seen the products that are out there seems like everything causes cancer, but for some reason, only in California. This product causes cancer in California, I don’t get it. But that’s the regulation, right? You have to be able to post on there something is carcinogens, if you’re going to sell it in California, so it’s got to be there, so they put it everywhere.

There are some discussions in other states about similar regulatory compliance. So my prediction would be that you’ll see a few other states and I don’t know who’s going to be first but I predict you’ll see a few other states start to take note. And I think from there, then you’ll see some discussions in the federal government but I’d be surprised if the U.S. enacted anything federally for at least five years, would be would be my prediction.

LO: It’s a good point just from, at least in my opinion, all those discussions at the federal level after the Cambridge Analytica craziness and everything was really what jump-started data privacy in the U.S. And that was fairly recently, all things considered; when when we were having those discussions, GDPR was already full-fledged and being rolled out over in the EU. So it kind of goes to show the differences there, but I was going to ask you, just as a final question, do you think that CCPA will have kind of this domino effect on other state level privacy regulatory efforts in the U.S.? I mean, what will this do for the U.S. in general when it comes to privacy laws and regulations that will be the discussed the future?

TR: I think the answer is it depends. And the reason I’d say it depends is a lot of states can look at this and say, California has it. And for the companies that store greater than 50,000 records in my state, most of those companies do business in California and have that many records. So they already have to adhere to CCPA and they’re already doing it for CCPA anyway, do I need to enact something myself? I don’t know if that’ll be the case. But that would be a question I would be asking is, who am I trying to regulate? And if I’m trying to regulate medium and large business, mostly, if they’re already doing business, you know, inter-state with California, do I need to have my own law? What’s the advantage of me having my own law? Can I just piggyback onto what CCPA already has and expand it to be California and Texas, CTCCPA or does it need to be something bigger? You might even find some other companies, some other states ratifying that same law. I think, enough of the constituency, if you will, for the voting public would like to have more control around their private data. I don’t think that’s a stretch at all. But I don’t know how fast other states are going to really enact it. There are there already discussions in other states. And when they do enact it, I would expect them to be very similar, if not identical to California’s law. So I think it could move very quickly in the state level, it’s just the federal level, I think would take a bit longer.

LO: Very true. Well, we will have to see in the coming months, kind of how this rolls out and whether there will be any sort of precedent set for other states. So, Terry, thank you so much for joining us today on the Threatpost podcast.

TR: I appreciate it. Thanks, Lindsey.

LO: Great, and once again, this is Lindsey O’Donnell joined by Terry Ray, the SVP at Imperva. Catch us next week on the Threatpost Podcast.

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles