The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Intangibles of CCPA 2.0 Loom Over RSA Privacy Talks

by Chris Brook on Thursday February 27, 2020

Contact Us
Free Demo
Chat

Th California Consumer Privacy Act is nebulous as it is. Potential changes to the state's privacy laws, slated for later this year, could cloud things further.

SAN FRANCISCO - Despite going into effect two months ago, much of the conversation revolving around the California Consumer Privacy Act here at RSA Conference 2020 continues to be steered by uncertainty.

While much of the trepidation stems from the fact that enforcement hasn’t set in yet – it’s slated to in July, later this year - a chunk of it connects back to the fact that a new, refined version of the legislation could find its way back on the ballot in November.

The next version CCPA, called CCPA 2.0 in some circles, is technically CRPA, or the California Privacy Rights Act of 2020. Momentum has been building around the ballot initiative, post-CCPA, since it was released by a group dubbed the Californians for Consumer Privacy, last November.

In a session here on Tuesday, “It's All about the States: Navigating the Privacy Thicket,” Behnam Dayanim, a partner at Paul Hastings LLP, suggested that since it’s an election year, turnout at the polls could be higher, something that could lead to the initiative getting passed. There’s also a good chance that someone launches a competing version of the legislation that’s less draconian but still largely privacy-focused that could steal its thunder, Dayanim said.

“California never rests,” Dayanim said at the session, adding that Alastair Mactaggart, the driving force behind CCPA, has been vocal about how the CCPA has been watered down and that it wouldn’t be a surprise to see it on the November 2020 ballot pending it receives the appropriate number of signatures.

Much of the session, one of the first following the day’s keynotes, served as a mini crash course on CCPA and the resulting legislation that’s been launched in its wake. Dayanim discussed Nevada’s narrower “Act relating to Internet privacy,” New Jersey’s SB 269, which lacks what he called a description for what a legal basis for data processing is, the New York Privacy Act - which could compel businesses to as a "data fiduciary," and the Washington Privacy Act – legislation he believes is the farthest along and closest to becoming law.

Legislation has been enacted in at least 15 states post-CCPA, not to mention efforts taken on the federal level, including a bipartisan bill circulated by the House Energy & Commerce staff in December and the Consumer Online Privacy Rights Act introduced in the Senate in November.

The confusion around CCPA came as a result of its quick passage.

“CCPA was an earthquake of data privacy legislation in a matter of weeks,” Dayanim said, highlighting just how frantic things were when it came down to the wire.

Several questions, like what exactly defines a sale, how to treat non-Californians, and how to treat publicly available information – like information from federal, state, or local government records, remain.

Despite the lack of clarity around the law, Dayanim said it should still be the guiding light for companies when it comes to handling personal data. It doesn’t seem like we’re going to see a federal data privacy law any time soon. Instead, companies should take a risk-based approach to advertising and other forms of “sale” and decide whether they want to extend CCPA rights.

That starts with knowing your data – taking stock of what personal data you collect and why, mapping that data, knowing your third parties and what data they may access, and being aware of any compliance measures that may be in place and how contemporaries may be interpreting them, Dayanim said.

Tags: Data Privacy

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.