Greetings from Portsmouth, New Hampshire!
Hard to believe we're in mid-August already, but here we are — dare I say it? — nearing the end of summer. There's nothing quite like August in the Seacoast. There's a sort of bittersweet beauty to it: As the daylight wanes, temperatures cool down, harvested fruits and vegetables taste delicious, while the crickets lend a soothing symphony of sound at night. But I sense this is just the calm before what will likely be a stormy fall in the privacy world, particularly here in the U.S.
To wit: The California Legislature reconvened Monday ahead of what will surely be a busy month debating the merits of several amendments to the California Consumer Privacy Act. Of course, time is of the essence as the legislative body has one month to finalize and pass any changes. And there's quite a bit up in the air right now.
Fortunately, CCPA co-architect Mary Stone Ross shared her thoughts with us on the top issues she'll be watching in the coming weeks. How will "personal information" and "deidentified" be defined? Will the powerful chairwoman of the Judiciary Committee, Hannah-Beth Jackson, pull back any bills if industry successfully pushes for changes to them? Will retailers be barred from selling personal information collected via loyalty card programs? What about the attorney general's preliminary rules? Will the governor sign any amendments that come out of this session prior to the Oct. 13 deadline? And will there be other "Sacramento shenanigans"?
The legislative timeline is tight. Aug. 30 will be the last day for fiscal committees to meet and report bills, and, according to Ross, all committees must meet prior to Sept. 3, and any amendments on the floor must come before Sept. 6. The last day of the session is Sept. 13, so it will be a notable day for those tracking the CCPA. Gov. Gavin Newsom then has one month to sign any amendments into law.
Also CCPA-related, we featured an interesting angle this week from Annie Bai and Peter McLaughlin. "There is a simple and innocuous-sounding CCPA requirement stating that requests for access and deletion must be 'verified,'" they write. "However, the law does not clarify what qualifies as verified."
Bai and McLaughlin argue that this provision will create significant business risk, citing a recent study on using data subject access requests under the EU General Data Protection Regulation to fraudulently access to other users' personal information. Surely, many companies have not yet implemented robust DSAR-verification programs, opening them and their customers up to identity theft and unauthorized access. "In the name of empowering consumers," Bai and McLaughlin point out, "the [CCPA] is actually introducing threat vectors that can be manipulated by fraudsters. This presents a considerable risk to organizations by enabling a data breach while ostensibly trying to comply with the law and support a customer's data access request." This means businesses "need to be vigilant as they set up their consumer-response processes," Bai and McLaughlin suggest.
The IAPP-EY Annual Privacy Governance Report 2017 found that DSARs were among the top-three most difficult GDPR obligations for those surveyed. Verification adds one more layer of complexity. The IAPP has published several articles on operationalizing DSAR responses, like this one for the GDPR and this one from the IAPP's Rita Heimes. Privacy tech vendors are also developing various DSAR response technology, some of which can be found in the new Privacy Tech Vendor Report 2019. All in all, there's lots to consider.
As we near the unofficial end to summer, hopefully you can enjoy some downtime — maybe even head to the lake or the beach — because we're in for a busy fall!
If you want to comment on this post, you need to login.