This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


What the Co-Author of the CCPA Thinks About Leakage

DeAndrea Salvador, August 18, 2021

This is the third and final installment of our series highlighting our lunch and learn with Rick Arney, co-author of the CCPA. The second post focused on the inception of the CPRA, and the first post told the story of its predecessor, the CCPA. This post is forward-looking as we will be sharing what to keep an eye out for as these laws become a reality.

What’s On the Horizon for CCPA Compliance

With a group of employees as enthusiastic about privacy as the DataGrail team, there was no shortage of questions asked by the team after Rick shared the story behind the CCPA and CPRA.

So, what does Rick see keeping companies up at night regarding the CCPA/CPRA? How can companies ensure they can keep their customer’s trust and confidence? Rick was his usual forthcoming self, stating, “I find a lot of companies are worried about the notion of leakage.” As the name suggests, leakage refers to the data that can sometimes slip through the cracks during an inventory of all the data of a company, possibly due to a lack of a formal process or technology to identify where it is and to protect it. And, it’s critical to know that leakage can be tremendously widespread. It’s simply tough to wrap your arms around all of the information a company collects about their customers. Rick pointed this out when he said, “If you talk to any CEOs [and ask them to] list out all the information collected, it’s 100% certain he or she will create a list that’s incomplete.” 

How Leakage Impacts Companies

That’s no exaggeration; here’s an example of how it plays out in reality. Recently, Rick had been advising a bank on their privacy protocols. While the bank had excellent data protection processes in place, they were surprised to learn about the existence and extent of information collected from the security desk at their headquarters. Because physical security—literally signing people into the building—was not directly related to their line of business, it was something that had not been considered in their plans. 

However, the information collected from clients and visitors entering the building resulted in a massive amount of collected data and subsequently an unforeseen, inherent risk. “One of their clients came in and logged their name and their address, their phone number, and even swiped their driver’s license. And that was just missed because it wasn’t really part of the bank’s core infrastructure.” This is an example of leakage in action in the real world, but it doesn’t stop there.

Why You Should Care About Downstream Leakage

Downstream leakage can also emerge when working with providers and subcontractors. He continued his explanation, “[if] you have providers that do online advertising for you, they have providers they’re using and subcontractors. And that’s where there are lots of leakages because of downstream entities.” A bit of advice that Rick shared was to be very vigilant about sharing information with a provider.

He noted, “I encourage all of you as you work with companies to really think as comprehensively as you can about where people are collecting information and where it is going.”

One crucial way to develop this comprehensive view of customer information is by being hyper-diligent in your data mapping efforts.

Your privacy program can only be as good as your understanding of where personal data lives, which is documented in a data inventory. It’s the foundation on which a solid compliance program (and customer trust) is built. If you don’t have proper protocols in place, then as Rick says, “Guess what? You may not be compliant with the CCPA or CPRA.” Whether it’s an app a department is using that you’re not aware of or giving a list of attendees to a caterer, downstream leakage is an area to be concerned with. 

Looking to hear more about data inventory and discovery? Here’s our deep-dive blog post on data mapping to learn about how data mapping can impact your company. 

Without question, we had a lovely time with Rick, and it left our team buzzing with even more ideas to continue creating best-in-class solutions to help our customers build trust and manage privacy. We will be continuing these conversations with industry experts and sharing them on our blog.


Like this series? Don’t miss out on future blog posts like this one. Subscribe to our newsletter and get them directly in your inbox.

Stay informed on the latest data privacy news and privacy regulations and insights with our newsletter.