-
Recent Posts
Categories
Archives
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
Public comments show lingering problems with California’s data privacy law
Earlier this month, the California Office of the Attorney General (CAG) held hearings across four cities where the public could offer comments and feedback to lawmakers as part of the rulemaking process for the California Consumer Privacy Act (CCPA). The hearings drew speakers from across a variety of industries, and their oral comments, as well as other written comments sent to the CAG’s office by Friday, December 6, are now available on the California Attorney General’s CCPA page.
While the hearings drew a number of concerns about the new data privacy law, which goes into effect January 1, four core issues emerged.
1. Crucial CCPA terms aren’t clearly defined
The most prominent concern that came out of the hearings was that terms central to the CCPA are unclear, making it difficult for companies to feel fully confident they are in compliance. At the San Francisco hearing alone, speakers said the definitions of personal information (PI) and service provider are unclear, as is what constitutes a sell. Speakers at the Los Angeles hearing made similar comments, adding that other terms like “business,” “reasonable security measures,” and “secure” transmissions of personal information were also unclear.
A common refrain was that the CCPA’s language was too vague or broad and overreaching. As a consequence, organizations have found key sections of the CCPA difficult to operationalize. They worry that the ambiguity of these terms could result in significant unintended consequences. For example, some argued that the broad definitions of PI and business may extend the reach of the CCPA to businesses that the AG likely had no intention of regulating, like small operations that serve fewer than 50,000 California customers but run high-traffic websites using cookies.
2. It’s unclear how CCPA’s scope effects other industry-specific regulation
Several commentators expressed confusion over the CCPA’s scope as it applies to companies that are already subject to industry-specific privacy legislation. At the San Francisco hearing, one speaker, representing a San Francisco credit union, indicated that the Gramm-Leach-Bliley Act (GLBA) and California Financial Information Privacy Act have definitions of PI that differ from the CCPA. She noted, though, that while the CCPA spells out exemptions to PI collected under the GLBA, inconsistencies in the definition of PI between laws have resulted in multiple interpretations about how the CCPA applies to data credit unions collect. Similar confusion may surround other regulations like HIPAA. At the Sacramento hearing, a speaker asked for clarification on how de-identification under the CCPA differs from de-identification under HIPAA, and how any de-identified data exempt from HIPAA should be handled by the CCPA.
3. Smaller organizations will have trouble meeting the January 1 deadline
Given the extensive scope of the CCPA, it’s no surprise that small and medium businesses have expressed concerns about the law’s reach and implications. Some organizations have said publicly that they’ll have substantial difficulty meeting the January 1 compliance deadline. At the San Francisco hearing, two speakers requested the compliance deadline be moved to 2022 to ensure their organizations could build a robust compliance program.
4. The system for data requests could be open to abuse
Speakers at the Los Angeles and San Francisco hearings also raised concerns about the potential for abuse with the request system. For example, they said that if companies were required to take unverified opt-out requests seriously, it could invite mass bot attacks by bad actors, either online or by phone. It’s been argued elsewhere that such abuse could effectively result in data request “denial of service” style attacks against organizations as their staff and infrastructure become tied up in an effort to respond to an unanticipated flood of fake requests. While tools exist to help automate data discovery and responses to data requests, some speakers argued that a “reasonable degree of certainty” should be the standard applied to requests, as that would give businesses more bandwidth to handle the issue.
What happens now?
Now that the hearings and the public comment period have passed, the CAG may use comments to revise the current draft regulations, after which the public will have 15 days (or longer) to provide comments on the revisions. So even though the CCPA goes into effect January 1, 2020, organizations should still expect changes to the law. Stakeholders should follow the rule-making process closely while making sure to submit any concerns to the CAG during the next comment period. Enforcement of the finalized law will begin July 1, 2020; however, organizations must make good faith efforts to comply starting January 1, 2020 and can be held liable for breaches of the law after this date.
Michael Osakwe is a tech writer and Content Marketing Manager at Nightfall AI.
Let’s block ads! (Why?)
Big Data – VentureBeat