Soon to be the most restrictive privacy law in the U.S., the California Consumer Privacy Act is set to take effect in January 2020. And companies that sit back and assume their compliance with GDPR is enough to meet the new legislation's high expectations are in for a rude awakening, warned a panel of privacy executives at RSA 2019.
"This is not the time to take a wait-and-see approach," said Ruby Zefo, chief privacy officer at Uber, in a conference keynote session. "It’s here, it’s not going to change very much in my opinion, unless it’s to get more onerous for businesses, so you really should start prepping now."
"Absolutely, if you’re not already started, now is the time," said Kalinda Raina, senior director and head of global privacy and LinkedIn.
"The fact is, CCPA is not GDPR, and it is different. There certainly are things that you probably built for GDPR that will be helpful, but CCPA deserves its own attention," said panel moderator J. Trevor Hughes, president and CEO and IAPP, the International Association of Privacy Professionals.
One of the problems potentially holding up progress for some companies, Zefo suggested, is that privacy experts are still trying to interpret some of CCPA's terms and objectives, including its references to protecting "household data" in addition to individual data.
"I don’t even know what household data is. I don’t really know why I need it if every individual in the household already has their personal information protected," Zefo said. "So there are a lot of ambiguities with it; there are elements that are contradictory."
"Nevertheless, "that's not an excuse for trying, to not to start to preparing for things. It's clear that you’re gonna need it."
While California's upcoming law isn't a carbon copy of GDPR, Raina did suggest that it part of a greater trend she referred to as a "GDPRization of laws across the world," including new privacy legislations recently proposed by countries like Brazil and India and also by individual U.S. states. Indeed, just this week, the Washington State Senate nearly unanimously voted in favor of a sweeping new state privacy law. (It must still pass its House and be signed by the governor.)
This results in a "patchwork" of data privacy laws that gives privacy professionals a lot to think about -- perhaps too much.
"The challenge for anyone working in this space is to figure out what that 'highest bar' is and how you will comply with it and then to figure out those differences... and how are you going to operationalize that on a global scale," said Raina.
"It’s becoming less and less harmonized, which is making it more and more difficult," said Zefo. "And it’s not just now the data breach notification laws; it’s a bunch of other things that you're trying to comply with. This is now going down to the municipality level. can you imagine every municipality having different rules for you?
"So we need some guidance that will help solidify a common approach to this," Zefo continued, "because it's quickly to going to become unworkable for companies and there are already outcries that small-to-medium sized businesses aren’t going to have the resources to figure this out."
For this reason, Raina believes the U.S. will eventually move toward a federal law that will supersede and incorporate a wide range of state-based privacy laws.
"Here in the U.S. we have laws that are different around your financial privacy, your health care privacy, your children’s privacy, your video viewing rights privacy, and all of these need to be taken into account if we get federal legislation," said Raina. "Our lives will be a lot easier if we do have a federal law. The question is: How long will it take for us to get there?"
In the current political climate however, Raina put the odds of a federal law passing this year at only 10 percent. Zefo chose to err on the side of optimizing, forecasting a 30 percent chance of a federal law coming to pass in 2019.