If you were to ask privacy professionals about how much work they did to prepare for the EU General Data Protection Regulation, you would probably get answers that ranged from “a lot” to “are you seriously asking me that question?”
So it's not surprising to see privacy professionals looking to draw on their GDPR efforts as they get ready for yet another important privacy law, the California Consumer Privacy Act. That topic was the focus of a breakout session held at the IAPP Global Privacy Summit in Washington last week, “Leveraging the GDPR to Comply with the CCPA,” featuring Venable Partner Shannon Yavorsky, BDO Partner and Governance and Compliance National Leader Karen Schuler, CIPM, and Okta Senior Corporate Counsel for Product and Privacy Fatima Khan, CIPP/US, CIPM.
The three panelists spoke in front of a jam-packed room of privacy professionals who hope to take lessons learned from the GDPR and apply them in time for the Jan. 1 implementation date of the CCPA. Given the looming deadline, Yavorsky said she has received numerous daily calls from clients seeking advice. To them she says: Get the attention of senior leadership.
"Like the GDPR, one thing that organizations can do is to make sure that senior leadership is aware of the impact the law is going to have on the organization and to make sure you have them on your side to get the resources you need for the compliance exercise,” Yavorsky said.
Yavorsky added it's important to draft an implementation plan to see what “your roadmap looks like, and what are the milestones you are going to hit before January 2020.” She said privacy professionals should look back at the considerations they had to make before the GDPR came into effect, such as whether they will decide to license software or whether they will silo all the data that comes from California.
Privacy professionals would benefit from comparing the definitions of personal data between the two laws, Khan said.
“The CCPA is GDPR plus,” Khan said. “The GDPR definition of personal information is a good starting point for what the CCPA is and you can really leverage that.”
That’s not to say there will not be some CCPA-specific issues privacy professionals may have to face. Khan said the definition of “households” within the California law is broad and has not been locked down. For example, it is unclear whether internet of things devices linked to a household fall under the “household” umbrella.
Of course, the CCPA as it is written today will likely not be the same bill that goes into effect in 2020. Khan cited three amendments for privacy professionals to keep an eye on, as they “could narrow what you have to do, and how you use your existing GDPR processes for the CCPA.”
The proposed amendments include Assembly Bill 25, which modified the definition of “consumer” to no longer include HR data, AB 873, a bill that revamps the definition of deidentifed and removes “household” from the definition of personal information, and AB 874, which would amend the personal information definition to stop covering deidentified or aggregated consumer data.
Importantly, panelists said, the GDPR and CCPA are not carbon copies of one another. Take, for example, privacy by design. It's spelled out in Article 25 of the European rules, but companies that fall under the CCPA do not need to take it into consideration. Despite that, Khan said companies covered by the CCPA should still implement privacy-by-design principles, as it can bolster an organization’s privacy and security efforts across the board, help fight back against class-action lawsuits, and put an entity in a more defensible position in the event of an incident.
While the CCPA is the law currently in the crosshairs of privacy professionals around the world, these dilemmas will likely pop up when the next big privacy law appears down the line, as well. Khan said companies should keep an eye on global legal developments and adjust their policies accordingly.
The CCPA is in flux, and copycat laws will likely appear. Rather than take on each law separately, privacy professionals may benefit from a more concentrated approach.
If you want to comment on this post, you need to login.