What does every business need to know about the new California Consumer Privacy Act?
What does the CCPA mean for information sharing?
And how should organizations approach California's new privacy act?
"We are at a time right now where the sharing of information is more important than ever before. We practice very open business models," and now the new law restricts this, says Lothar Determann.
We are so thankful we ran into him after his session at a SecureWorld cybersecurity conference because he has the answers to questions about the new data sharing restrictions taking effect in 2020 in California.
Determann is a partner at Baker & McKenzie and a privacy law professor. He grew up in the German state of Hessen, which enacted the world's first data privacy law many decades ago. It's no wonder he is so passionate and informed on this topic.
You can watch our complete video interview with Determann, or see excerpts from our interview below.
[SecureWorld]: GDPR vs. CCPA. Are Europe's GDPR and California's new Consumer Protection Act the same?
[Lothar Determann]: California was in 2002 the very first jurisdiction in the world to pass a data security breach notification law requirement, which was generally thought to be a good idea. It was a law that didn’t impose any sanctions on companies—after all, company’s are the victims, the first victims of a breach. But it required companies to disclose to the individual data subjects that their sensitive data categories were lost. All U.S. states now have a similar law; many countries around the world followed suit.
Very late in the game—the Europeans only since May 25, 2018, with the GDPR—does Europe now have data breach notifications. So the Europeans were following California on that one, but also added a few other things. So when California did pass the California Consumer Privacy Act, it did follow some of the European models, as well.
[SW]: What are the California Privacy Act's biggest impacts on organizations?
[Determann]: I think one of the biggest topics for business will be this very expansive and counter-intuitive idea of selling a person’s information. Businesses will now have to get a head around what that means to them. Potentially, any sharing of information is impacted, and they’ll have to take inventory of where they are sharing with other companies.
We are at a time right now where the sharing of information is more important than ever before. We practice very open business models, open source code licensing, open data, maybe open cars with connected vehicles that have to be built more modular. We need to train artificial intelligence with data. We have various new models of data monetization that have really jumped progress in the information technology sector.
And so there is a lot of sharing going on, and it’s being encouraged and is necessary for certain business purposes. And now, this law restricts the sharing with very expansive disclosure obligations, and also requirements to give individuals a choice whether the data is being shared under the circumstances.
[SW]: We've heard this could even impact what types of information you can share with vendors, like cloud providers. Is this true?
[Determann]: You have to look not only for compliance with your own company but to the extended enterprise. Your service providers, your business partners, many companies use cloud solutions, which by definition involve sharing personal information for consideration because there are some contractual clauses that will create conservation. And that is something companies now have to take a closer look at, how they want to continue that, what kind of restrictions they’ll have to put on business partners to match their own strategy on how to comply with this new law.
And Determann also warns organizations about something else: Continue preparing for the California Consumer Privacy Act, regardless of an increasing push for a federal privacy law.
"What I tell my clients is that the work of preparing for this [California law] and having a strategy on this topic is not going to be wasted.
I think companies are going to be held more accountable how they’re going to be sharing what information with whom. They’ll have to have robust contracts on this and reassess whom they want to do business with and under what circumstances."
In other words, more data sharing restrictions are likely, regardless of whether the law comes from the EU, a single state, or the United States.