Implementation of the California Consumer Privacy Act of 2018 (CCPA) is fast approaching, and based on a recent report the news is not great as far as organizations’ progress in complying with the new rules as well as other data privacy regulations.
CCPA is intended to bolster the privacy rights and consumer protection of California residents, and was passed by the California State Legislature and signed into law in June 2018. The law, scheduled to take affect on Jan. 1, 2020, will provide California residents with the right to know what personal data is being collected about them, whether that data is sold or disclosed and to whom, and a number of other rights related to personal data.
The rules apply to any organization that collects consumers' personal data, does business in California, and satisfies at least one of the following criteria: annual gross revenue of more than $25 million; possession of personal information of 50,000 or more consumers, households, or devices; or earnings that equate to more than half of its annual revenue from selling consumers' personal information.
The Internet Society’s Online Trust Alliance (OTA), which identifies and promotes security and privacy best practices, in its Online Trust Audit analyzed 29 variables in 1,200 privacy statements by organizations, within the context of common themes across three global privacy regulations.
These include the General Data Protection Regulation (GDPR) in the European Union that took effect in May 2018; the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada implemented in April 2000; and CCPA.
The report noted that privacy statements are only one part of an organization’s overall privacy stance, but are the first point at which users are informed about privacy policies. If the statement is incomplete or difficult to understand, it opens the organization to regulatory fines and leaves users without a complete understanding of how the organization handles its data.
The privacy statements provide an important look at how organizations of all sizes and in all industries might be preparing for privacy regulations, the report said. CCPA, GDPR, PIPEDA, and many other privacy regulations around the world share common principles that are measured in Online Trust Audit.
Among the principles that map to specific provisions of the audit’s criteria are that users must be able to request information on why their personal information is being collected; must be informed if their personal information will be sold or shared with a third party; must have access to their data and be able to download it in an easily readable format; must be able to request their data be deleted, and must be notified by organizations of their rights in an easily understandable matter.
In the audit, the vast majority of privacy statements (98%) had some language about data sharing, and two thirds included a statement that the company does not sell or share data with third parties. Both of these types of statements are required in many privacy regulations around the world.
Similarly, many privacy regulations require organizations to ensure that third parties they work with are held to the same data sharing standards they hold themselves to. The audit showed that only 57% of organizations said they hold third parties to this standard.
While these regulations state that organizations should also disclose which types of third parties data could be potentially shared with, less than 1% of companies in the audit had language outlining the types of third parties. A similar concept is disclosing if the organization uses social media sites that might also be collecting user data, and 52% of statements informed users that the site used third-party social media services.
Many privacy regulations have added data retention as an important concept, the report said, largely because data that’s stolen or released is often old and the organization did not need to keep it. Overall, few organizations in the audit (2%) had explicit language about data retention. But as laws evolve they will need to take this concept more seriously, because many countries are including this in their privacy laws.
Audit statements should explicitly tell users if the organization is collecting data to track them across devices, and just 47% of statements included such language. While this isn’t called out expressly in many privacy regulations, the report said, it fits the theme that users need to know why data is being collected.
If an organization is collecting user data to track the user across devices, all of the new regulations would require the organization to disclose that fact.
The implementation of CCPA is near at hand, and other new data privacy regulations will follow. Clearly, a lot of organizations have much work to do to ensure compliance.