Trying to predict the privacy weather report for third party risk?
The dialog on online privacy is heating up in Washington D.C. this week as hearings and industry discussion on the merits of federal privacy legislation were prompted in the wake of the passage of the California Consumer Privacy Act (CCPA). Record snowfall levels have been reported across the country, even in typically sunny California, creating a February for the record books. This month I had the chance to facilitate a teleconference on CCPA to the Shared Assessments Program Regulatory Awareness and Best Practices working groups. Trying to predict the timeline of the implications of CCPA to third party risk is rather like predicting today’s weather report in an era of unpredictability.
For members who may not have participated in the update, I’ll summarize the sunny and cloudy viewpoints on our discussion with a recap: Background on what CCPA is; CCPA Components and Timelines; CCPA Readiness Challenges, and Implications to Vendor Management.
Background on the California Consumer Privacy Act (CCPA)
Since 1972, “Privacy Rights” are considered inalienable rights under the California Constitution. California has been a leader in putting a spotlight on the sharing of data with third parties. As early as 2003, California’s “Shine the Light” law was an early effort to address the practice of sharing customer’s personal information for marketing purposes. While the initial focus triggered updates to online privacy policies, the CCPA goes even farther in putting more rights on the control of information in the hands of individuals.
A ballot initiative was created in 2017 in to address consumer privacy rights by garnering signatures to put legislation on the ballot in the 2018 election cycle. By spring of 2018, the privacy weather forecast changed swiftly with industry disclosures of the sharing of customer data on social media sites. The activist’s ballot initiative had received over 600K signatures generating a storm of effort to draft a compromise bill that could be modified or amended by the legislative process rather than continuing to put privacy regulations out to voters. So faster than a 10-day weather forecast, CCPA was enacted by the state by the June 30th, 2018 deadline. Amendments were issued at the start of fall 2018 to address discrepancies, clarify exemptions and provide a planned timeline for compliance.
CCPA Components and Timelines
Privacy professionals have focused on the extra-territorial nature of GDPR, and California’s CCPA is creating a similar privacy tidal wave in that the focus is on the collection, use, and retention of personal information of California residents.
Scope: CCPA is targeted at for profit organizations, that do business in the state of California, and collect personal information directly from individuals or on behalf of another entity. CCPA defined trigger thresholds, designed to exempt the bulk of small businesses from needed to address compliance. CCPA applies if any one of these parameters are triggered: Annual gross revenue of $25 million, entities that buy, receive, sell or share data of more than 50K consumers, households, or devices for commercial purposes, or entities that derive 50% of its revenue from the selling of consumer data, regardless of the size of the organization.
Given that the state of California is the 5th largest economy in the world and only 34 countries in the world have greater populations than California, CCPA will have global implications to digital marketing.
CCPA defines several rights as the primary objective of the legislation. These rights include:
- To know what personal information is being collected about them
- To know whether their personal information is sold, disclosed and to whom
- The right to say no to the sale of personal information
- The right to access their personal information
- The right of deletion if there are not legitimate needs to retain the data
- The right to equal treatment and price if these rights are exercised.
CCPA defines civil penalties for violations of CCPA within defined parameters. The element of CCPA that is driving much of the heated debate is its right of private action. The potential for class action litigation, or the seeking of damages for violations is triggering a road discussion on the differences between self-regulatory standards for digital marketing and state by state requirements.
CCPA is written from a consumer advocacy point of view. The enforcement will be done by the state attorney general. CCPA comes into effect on January 1st, 2020, with ensuing regulatory guidance to be published no later than July 1st, 2020. The CA AG has indicated they will not enforce the CCPA requirements until six months after the final regulatory guidance is published.
CCPA Readiness Challenges
At first glance, such timelines would indicate CCPA compliance would be on the Privacy Farmer’s Almanac predictions for next winter. However, the consumer’s rights regarding treatment of their personal data have a “Look-Back” period of 12 months. Building the processes to address CCPA will need to be assessed and built out into a roadmap for compliance for data that has been collected in 2019. GDPR provided a 24-month timeline for compliance, and CCPA provides a much shorter timeline given the complexities of data usage in the digital landscape.
Conducting a readiness or preparation phase for CCPA readiness will tend to focus on self-assessment and review of business processes for the collection and sharing of data. Implementing a full readiness plan will be challenging until final guidance is completed. A six-month timeframe for executing a compliance program may be too short a timeline unless preparation activities have occurred to scope and shape the depth and breadth of CCPA compliance needs.
Organizations that were required to build out business processes and infrastructure will likely have a sunnier outlook for CCPA compliance since they are simply extending capabilities to the new CCPA requirements.
Key themes for preparation activities:
- Data Governance: Creating and maintaining adequate data inventories and data flows, including third parties for data with a “marketing/selling” point of view
- Consumer Advocacy: Developing the business process enablement and automation of consumer rights to access and delete data typically in unstructured data stores.
- Digital Marketing Disruption: Assessing the marketing, brand, and customer satisfaction risks for implementing limitations on the “selling” of customer data. Organizations may make business decisions in 2019 to change how or if they share customer data,
- Vendor Management: Identifying contract provisions with third party vendors and then defining sufficient due diligence based on the service they perform.
- Reasonable Security: Conducting reviews or self-assessments for data security safeguards. With the expanded focus on information security controls for marketing data – beyond the traditional “PII” focus, security controls will focus on the digital landscape, mobile and device at a much greater level of detail.
Implications to Vendor Management Functions
The digital marketing landscape has layers of third-party relationships. CCPA will trigger the need to identify the applicable third parties that will require affirmation of their obligations to limit the use of personal data beyond the terms of the contract.
3 Things to Think About
- A “service provider” for the purposes of the CCPA, is an entity that processes personal information “on behalf” of a business.
The vendor or “service provider” must be bound by a written contract that prohibits the use of personal information for other purposes
- CCPA requires that for the in-scope service provider that the contract includes: A “certification” that the entity receiving the personal information understands the restrictions in the contract, and will comply
- These obligations will require updates to key third party risk governance processes to address the contract terms and limitations, but also the corresponding third-party assessment process for due diligence and testing of the controls.
CCPA Vendor Readiness Focus Areas
The final rulemaking for CCPA will be initiated by the CA Attorney General after a series of workshops, hearings, and outreach to the industry. While final interpretations and the potential for additional amendments make final scope and timeframes a bit cloudy, there are preparation and readiness steps organizations can do this year.
For businesses that use third parties, particularly in the online or digital marketing landscape, a starting point is to assess the current vendor inventory and contracts to create a baseline. For vendors who support their clients in the digital marketing landscape, they can begin to assess their role and what data they process and be prepared for additional scrutiny in the due diligence process.
The privacy landscape will continue to evolve, and CCPA dialog will likely continue thru spring and summer of this year. The bottom line is that CCPA is creating momentum for the U.S. to adopt a different approach to digital privacy practices, and that will impact the third-party providers that enable the digital ecosystem.
The Shared Assessments Program’s Privacy Committee will be monitoring CCPA developments to identify impacts to standardized questionnaires, privacy tools, checklists, and testing procedures for the next 24 months. If you or your organization would like to participate in the Privacy Committee or CCPA sub-committee, please click here to sign up to participate in the committee.
Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.