Happy New Year’s Day! Or, Happy #CCPA Day – today being the first day the California Consumer Privacy Act comes into force. On the first day of its implementation, I figured I would share a few thoughts prompted by my experiences in trying to become familiar with the CCPA and the world of data privacy regulation more broadly.
The first concerns the widening delta between traditional legal advice and technology-enabled compliance. Most legal commentary I reviewed fell into the “traditional” camp – “the sky is falling, pitfalls abound, you need a fireproof policy and procedures, call us if you want more specific advice.” Like I said, traditional. And helpful, but just barely. Because I didn’t really need legal advice on constructing a policy and procedures; the Act is very prescriptive as to what the consumer-facing policies must contain. What I needed was help with tools to enable consumers exercise the rights the Act grants them. And that is where traditional legal advice came up short. In contrast, several IT-based companies had comprehensive solutions to enable (and, to hear them tell it, guarantee) compliance. The one I ultimately adopted for my clients walked me through a live demonstration of an opt-out button and provided the required code for insertion on my clients’ websites – at a very low cost. For SMEs that lack in-house IT resources, services like these are a godsend. And further illustrate the gulf between what clients need and what legal service providers deliver. As technology becomes even more pervasive, clients will increasingly look to such services to address their compliance needs rather than traditional law firms.
The second thought concerns the CCPA’s raison d’etre – the explosion of personal data and its commercial exploitation. It is fascinating (and scary) just how much insight companies can glean from just a bit of personal data. Take, for instance, your music listening habits. A recent visit to spotify.me pegged me – correctly – as a cooking enthusiast: “Based on the playlists in your library, we’re guessing you like to soundtrack your soufflés. (And BBQs.)” You’re left shaking your head in amazement. I watched the Minority Report movie in 2002 and found its dystopian predictions of a future full of aggressive, personalized ads far-fetched. And yet, much of that prediction has come true, only much faster than initially thought. After all, Minority Report is set in the year 2054. As Kara Swisher eloquently puts it: “[U]sers have become the online equivalent of cheap dates to these giant tech companies. We trade the lucrative digital essence of ourselves for much less in the form of free maps or nifty games or compelling communications apps.” How all of this ultimately will play out on the regulatory front is yet to be determined. But it will be important, I think, for every C-suite executive or corporate lawyer to stay abreast of developments in data privacy regulation. For that reason, I intend to get a CIPP certification as soon as possible.
The third thought concerns the implications for #blockchain technology. At first blush, notions of data privacy and blockchain technology might seem to be incompatible. But I don’t think that’s necessarily the case. And, in fact, because blockchain technology can be used to give consumers more control over their personal data (including the ability to monetize), you would think that data privacy regulations would accommodate blockchain. Initially, with CCPA, that appeared not to be the case; the Act passed without any such concession. Fortunately, the amendments the California legislature passed in September included a carve-out from the definition of “personal information” subject to the Act for “deidentified data.” The carve-out is subject to pretty stringent standards – it requires that the information not reasonably identify or be capable of being associated with a particular customer; that the business implement processes that prohibit re-identification; that the business implement processes to safeguard against even inadvertent release of the deidentified data; and that the business must not make any attempt to re-identify the data. That’s a lot of caveats. But the fact that the carve-out for deidentified data exists at all is huge. Precisely how huge remains to be seen; I have read a number of articles contending that anonymized or pseudonymized data on a blockchain is not compatible with the CCPA. That said, virtually all of these articles predate the deidentified data amendment from September. In light of the amendments, I think the better view is that there is not an automatic safe harbor , but that data on a blockchain can be compliant with the CCPA if the appropriate prophylactic measures are adopted and verifiably enforced. I am certain that there will be a lot of activity in this particular area, and I look forward to following future developments closely.
Happy New Year!! As Yaasin Bey (Mos Def) says, “we are alive in amazing times.”