Why pushback on the CCPA is wrong

Since GDPR was implemented on May 25th, 2018 one big question has been lurking in the U.S.: When will the U.S. Federal Government follow suit?

With the spate of breaches over the past year coupled with the implementation of GDPR and the passage of the California Consumer Privacy Act (CCPA) it is clear that momentum is building towards a federal data protection law sooner rather than later. Unfortunately, as we advance toward the much-needed and inevitable federal law, we are seeing the dark influences of big tech and deep pockets begin to creep forward. Tech giants like Facebook, Amazon, and Microsoft are already applying pressure to overturn CCPA and put in place a federal law with more leniency around how personal data is handled at the expense of individuals.

While it is impossible to keep big companies and lobbyists away from bills that will impact them, there are a few absolutely critical elements any data protection law needs in order for it to have any impact:

1. Data protection requirements must be mandatory. There can’t be voluntary guidelines that companies can choose to follow. Rather, there must be minimum best security practices put in place for any company that is collecting or storing personal information.

2. Companies need to be able to justify why they are collecting data. We are currently operating in a world where companies collect all the information they can and then figure out how to use it later. Collecting more data than needed puts unnecessary risk on consumers. Identity data is not needed to understand consumer behavior or track product trends, so if companies are collecting identity data, they should explain why.

3. Meaningful penalties must be associated with PII data breaches. When a company like Equifax or T-Mobile has its consumers’ PII breached the real victims are the consumers, not the company. Consumers face unwanted exposure to identity theft, fraud and embarrassing information being revealed. This can lead to tens of thousands of dollars in costs for individuals, hours of lost time, and social consequences. People should not suffer consequences for corporate misbehavior, while corporations get a pass.

4. People have rights. Individuals always deserve the right to know what information is being collected, why it’s being collected, how it’s being used, and who has access. And, individuals also need the right to have their information deleted without penalty.

5. If we’re not sure, err on the side of caution. Companies have been collecting data functionally without regulation for years and they have been able to prioritize profits over data protection. This can’t happen anymore.

Looking at this list, any company putting profit first will start thinking about the cost and resources involved in implementing a policy that addresses each of these five points and begin to think about ways to narrow down the scope of any such a law.

But, in doing so, we would be going down the same concerning series of justifications that got us to this point. If we were to treat PII more securely it would have a short-term impact on a company’s bottom line as resources are invested in complying with the new practices. But, once the initial investment is made, organizations would have re-architected the way they handle data in such a way to both operate successfully and earn customer loyalty.

The one exception to the ‘profitable today and tomorrow’ projection is companies who currently use data in way customers aren’t aware of, and wouldn’t be happy about. With a transparent data protection law in place, these companies would have to tell consumers how their data is being used so consumers can decide if they are comfortable with it or not. In other words, once a new law is implemented, the market will indicate how comfortable people are with companies collecting their information.

And, in the end, isn’t that what we want?

As the internet becomes increasingly personal, a new class of law protecting PII is absolutely critical. These laws don’t necessarily need to restrict what type of personal data can be collected. Rather, they should require companies to be transparent about what is being collected, how each collected data is used, and who has access to the collected data. And, it should require that PII be treated differently than other types of information with an elevated level of security built around them. Because let’s face it – PII is the most important type of information.