Data Privacy Changes Coming to California in 2020
On March 22, The Berkeley Center for Law and Technology (BCLT) hosted a forum to discuss data privacy laws around the world and the upcoming California Consumer Privacy Act (CCPA).
What did industry leaders have to say about the biggest privacy challenges and proposed solutions?
Berkeley’s forum gathered corporate counsels from large tech companies including Facebook, Uber, and Salesforce, privacy lawyers, government officials, advocates, and scholars. Also, panelists from the UC Berkeley School of Law shared their latest research — followed by a discussion with leading data privacy experts.
Challenges Companies Face Implementing CCPA Compliance
The primary challenges discussed at the event were how the ways companies collect data will need to change, and how businesses will need to develop new methods for properly managing data subject access requests. A shared concern among leaders at the forum was that they’ve collected data at no cost and that will change in January 2020.
When the CCPA goes into effect, companies must confirm that they weren’t selling data in 2019 — or if they were — they must list all the information that they sold. Beyond that, companies would need to provide a link titled “Do Not Sell My Personal Information” on their homepage and in privacy policies to meet the new law’s requirements.
Another challenge for businesses to overcome is how to handle data subject access requests. The CCPA requires a 12-month look back period, making businesses responsible for providing users with information that dates back a full year. Effective January 2020, businesses need to develop a method to search their records and communicate with users about how their data was processed or used.
Jeff Zubricki, Director of Global Public Policy and Government Affairs at Walmart spoke to the challenge with data access requests: “When a consumer requests that a company provide access to or delete their personal data, it presents a challenge for the company where we have to now figure out how to handle that information and respond to that request promptly.”
Global Diffusion and The Future for Businesses
General counsel and privacy officer panelists discussed the global diffusion of EU Data Protection Law.
Ruby Zefo, Chief Privacy Officer at Uber explained how they strive to make customer experiences sticky and that the CCPA and other states passing privacy regulations could strain customer experiences. For example, as more state laws are passed, company landing pages could become confusing for consumers due to the numerous privacy notices in the form of banners, pop-ups, and cookies that could be required by law.
Other practitioners provided valuable insight into how companies are approaching privacy in 2019 and beyond.
The panel featured:
- Lindsey Finch of Salesforce
- Kristin Madigan of Crowell and Moring
- Heather Sussman of Orrick
- Shane Witnov of Facebook
Witnov addressed Facebook’s challenge of rebuilding trust with its user base, emphasizing that although privacy has always been important, Facebook is now doubling down on it with added accountability. Facebook is bringing in privacy experts and researching the best ways to improve their data privacy practices. Sussman added that for Orrick, privacy has also become a hot topic, stating that the cost of compliance has lost clients in some cases.
The practitioners spoke a great deal about finding solutions for access and deletion requests that would provide an opportunity for their businesses rather than a challenge. Companies are trying to find out how they can take advantage of the age of privacy and implement solutions that improve the experience for their users.
Lindsey Finch of Salesforce put it best, stating “Things that you are building out to handle data subject access and deletion requests now will serve you really well under CCPA and with other state laws coming forward.”
Many companies face uncertainty on how requirements will change when shifting from GDPR to CCPA compliance. Although companies with strong GDPR compliance programs are a step ahead, a lot remains unseen as to how the CCPA will change privacy for businesses in California.
As the regulatory environment changes, companies face new challenges with data privacy compliance. Although CCPA addendums are still being finalized, the fact remains that the law has been passed and will be enforced in 2020. Companies must be prepared for this big change to California data privacy standards.