Following CCPA Amendments, find a practical guide to understanding the business advantages to de-identified data and leveraging privacy risk advantages for data driven organizations.
“Separate your ‘front end’ and ‘back end’ into two separate streams of CCPA compliance work”
“Taking data lakes and warehouses out of scope for CCPA”
“Approach CCPA as a competitive advantage rather than a compliance overhead” for your back end compliance requirements.”
This blog will summarise the amendments and clarification relating to ‘de-identified data’ and then will focus on the business advantages to implement more automated ‘state-of-the-art’ tools as part of the CCPA organisational and technical controls requirements to meet the CCPA legal specifications of de-identified data.
The verdict is in: Only five CCPA amendments made it through the California legislature. These amendments are limited in scope. They make only incremental changes to the CCPA – and, in some cases, expand the private right of action for consumers. They do not fundamentally change the fact that the CCPA will impose substantial new compliance obligations on companies. As expected, a largely intact CCPA will come into effect on January 1, 2020.
Organizations that will be affected by CCPA can no longer justify delaying, or adopting a wait-and-see policy toward potential further amendments. It was tempting for enterprises to use potential further clarifications as an excuse to put off real work toward becoming CCPA compliant. But time’s up. They need to initiate CCPA compliance programs, and start implementing the necessary organisational and technical controls, today.
With this being the case, organizations are understandably seeing CCPA as a compliance overhead and business restrictive, that brings additional costs and prevents it from doing business in the way they’re used to.
But here’s the good news: Viewed the right way, CCPA can be not only a compliance overhead, but also a competitive advantage.
How can enterprises turn CCPA amendments into an advantage?
All sensible companies should be ensuring they can meet the new CCPA obligations, particularly obligations that may require more significant lead time. They should be implementing the organisational and technical controls required to meet the finer points of compliance: Right to know, right to erasure, right to be forgotten, and so on.
But they should also be seeking to gain the advantages that CCPA will bring.
Let’s break this down. The key here is back-end uses of consumer information. CCPA places restrictions on how and why a company can use consumer data beyond the primary purpose for which it was originally collected. Most modern organisations are heavily data-driven, and they leverage data science and data analytics tools and environments. If they aren’t careful, they will find that their data science and data analytics projects are heavily impacted by CCPA.
However, if they approach CCPA compliance correctly, organizations can continue to reap the benefits of their data science and data analytics projects in which they have already invested heavily. They can do this by properly de-identifying their data so it falls out of scope for CCPA. Now, CCPA compliance becomes a business advantage, not a compliance overhead.
Remember CCPA’s Disclosure Requirements: At or before the point of collection, businesses must inform consumers of the categories and specific pieces of personal information they are collecting; the sources from which that information is collected; the purpose of collecting or selling such personal information; the categories of personal information sold; and the categories of third parties with whom the personal information is shared.
In light of the recent CCPA amendments, here are three areas where organisations can comply with the CCPA Disclosure Requirements, and thus gain an advantage, by ensuring that the data in their data science and data analytics environments is de-identified:
- Definitions of “personal information” and “publicly available information.”
- Exemption for business customers and clarification on de-identified information.
- Data breach notification requirements and scope
Definitions of “personal information” and “publicly available information” – AB874
AB874 includes several helpful clarifications with respect to the scope of “personal information” regulated under CCPA. Previously, “personal information” was defined as including all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The amended definition of “personal information” clarifies that information must be “reasonably capable of being associated with” a particular consumer or household. Separately, the bill clarifies that “publicly available information” means information that is lawfully made available from federal, state, or local records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data was made publicly available. Further, the bill revises the definition of “personal information” to clarify that it does not include de-identified or aggregate information.
Exemption for business customers and clarification on de-identified information – AB1335
AB1335 clarifies that the CCPA’s private right of action does not apply if personal information is either encrypted or redacted. It also makes certain technical corrections, including revising the exemption for activities involving consumer reports that are regulated under the Fair Credit Reporting Act, and clarifying that de-identified or aggregate consumer information is excluded from the definition of “personal information.”
Data breach notification requirements – AB1130
AB1130 clarifies the definition of “personal information” under California’s data breach notification law as including biometric data (such as “a fingerprint, retina, or iris image”), tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document.
Additionally, there is a significant gem hidden in the detail, clarifying CCPA Section 1798.150: Class-action lawsuits may not be brought for data breaches when “data breach personal information” is either encrypted or redacted (not both); and de-identified and aggregate information are exempt from the statute.
Making the CCPA amendments work for you
These amendments clarify a broader truth about CCPA: It is imperative that organizations establish controls to prove that personal information can be transformed to meet the CCPA legal specifications for de-identified data. This is the only way that the business advantages that accrue from data science and data analytics can continue to accrue.
Under the CCPA, information is only de-identified if it “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” In addition, the business using the data must adopt technical and procedural safeguards to prevent its re-identification, have business processes to prohibit re-identification, and must not make any attempt to re-identify the data. Businesses may today view information as “de-identified” even when information relates to a specific-but-unidentified individual.
The clock is ticking. All businesses that want to continue to maximize their data science and data analytics need to start moving toward meeting this de-identification standard. Here are some immediate questions that every organization should be asking themselves.
- Do you know what information your company holds on its consumers in your data lakes and data warehouses?
- Do you understand each and every purpose for which you are holding and processing consumer data?
- Are you profiling or aggregating consumer data in your data science and analytics projects for an additional purpose beyond what the data was first collected for?
- Are you combining or linking consumer data with other available information that increases the risks of identification of the consumer?
- Do you have a need to re-identify consumer data that was de-identified or aggregated?
- Are you sharing or selling your customer data?
- Are your data protection, encryption and redaction methods sufficient to prevent the risks of re-identification, and to meet the CCPA legal specification of de-identified data?
Practical state-of-the-art automated approaches for the back-end of CCPA Compliance
Data discovery and classification projects can do a lot for front-end CCPA compliance. But newer, state-of-the-art, automated solutions are the best answer to CCPA back-end compliance. These approaches leverage ML techniques that can effectively perform automated and instant metadata classification on your structured data; help you instantly understand aspects of the data relating to CCPA compliance requirements; and identify the risks of re-identification in your data science and data analytics environments.
These automated and instant metadata processes, combined with a systems-based understanding and knowledge of the risk of re-identification, enable you to transform your data to meet the legal specifications of ‘de-identified’ information. This happens by applying modern and integrated privacy protection actions such as generalisations, hierarchies, redactions, and differential privacy to ensure that the data remains de-identified but still retains the data utility and analytical value for your data science and data analytics projects.