Q&A: Data privacy expert untangles the regulatory web Special

Posted Oct 27, 2020 by Tim Sandle
This year, U.S. businesses began facing several confusing new regulations regarding consumer data privacy rights, and tech companies may be more at risk than they realize. Data privacy expert Zak Rubinstein outlines the main concerns.
Data is the new oil.
Data is the new oil.
Chiffre01 (CC BY-SA 4.0)
As an example of the legislation bombarding businesses is the California Consumer Privacy Act , which has been enforceable since July 1st, 2020. Following this, the same group responsible for CCPA have now landed the California Privacy Rights Act (CPRA) on the November ballot.
Zak Rubinstein looks at the various regulations and also considers how the newly proposed law differs from CCPA, as well as how businesses can prepare. Zak Rubinstein is CEO and co-founder of
Digital Journal: Where has the seemingly sudden rush of consumer privacy legislation come from?
Zak Rubinstein: The rush of consumer privacy legislation can be attributed to two main drivers:
GDPR “Adequacy”: The EU’s General Data Protection Regulation (GDPR) restricts the transfer of EU citizen data to locations that do not meet the criteria for data protection. The simplest way to achieve this designation is to have a data protection law that provides equivalent protections to the GDPR.
Consumer Pressure: The run of recent data breaches has made data privacy a competitive advantage and consumer demand. For instance, in tracking COVID-19 spread, using an app on mobile phones may indicate where local hotspots emerge.
DJ: What are the risks and benefits of a digital data economy?
Rubinstein: Here are some advantages of the digital economy:
It creates significant data that can give new insights. The mass production of data can help inform governments and charities about what is happening in the economy. For example, in tracking of COVID-19 spread, the use of an app on mobile phones may indicate where local hotspots emerge.
The digital economy has enabled consumers to have greater information and choice. For example, it makes it easier to compare prices between firms. It also brings information to a person’s fingertips. It has reduced time and costs. Firms can save on renting expensive buildings by running most of business through the internet. A digital economy enables firms to cut out an aspect of the retail chain and send personalized goods direct from factory or warehouse to people’s goods, rather than through shops. This enables lower costs and lower prices.
A digital economy allows greater personalization than would be possible under a traditional economy; despite the potential for new start-ups, many aspects of the digital economy have become dominated by firms with monopoly power.
Harvesting and using data has become big business. Companies are struggling to manage vast amounts of data they store while staying in compliance with growing regulatory scrutiny. The economy has always faced disruption from new technology. However, the digital economy is increasing the pace of change, causing many traditional firms (high street retailers) to go out of business. The rise of AI may threaten jobs in a whole new range of service sector industries.
DJ: The California Consumer Privacy Act (CCPA) has been enforceable since July 1st. Has anything changed?
Rubinstein: Compliance with any data privacy law is always a slow process. In many cases, organizations wait to fully implement compliance until enforcement actions “clarify” the law and demonstrate that non-compliance carries penalties.
Additionally, COVID-19 pandemic has complicated compliance. Under the regulation, companies can take a 45-day extension on responding to subject rights requests if “necessary”, and COVID-related delays could qualify.
This means that - while organizations must initially respond to a request within 10 days, notify the requester of the extension, etc. - any requests made on July 1, 2020 would not need to be fulfilled until September 29, 2020. If this did not occur, a complaint would have to be made to the California Attorney General’s office and processed there, meaning that any enforcement action would likely just now be beginning.
DJ: How many companies have been penalized under the CCPA?
Rubinstein: In Jule 2020, the California Attorney General (AG) sent enforcement letters to a number of California businesses found to be non-compliant with the regulation. Under the law, they have 30 days to correct the issue before the AG can take enforcement actions against them.
To date, there is no indication that the Attorney has taken action to follow up regarding these letters. However, several companies are facing class-action lawsuits due to their non-compliance with the CCPA.
DJ: The California Privacy Rights Act (CPRA) looks set to appear on the November ballot. How does this differ from CCPA, and how can businesses prepare for its passing?
Rubinstein: The CPRA is designed to expand the rights of individuals under the CCPA. New rights include:
● Right of correction
● Right to restrict use of data
● Right to restrict data storage to what is necessary
● Right to restrict data collection to what is necessary
● Right to restrict use of precise geolocation
● Right to transparency regarding automated decision-making
The CPRA also imposes business obligations, such as keeping records of data processing and performing a data protection impact analysis before performing new collection or processing activities. Additionally, organizations will be required to restrict transfer of personal data to third-party organizations and ensure that partners comply with the law with respect to data collected by the organization.
The most important step in preparing for CPRA is gaining visibility into where and how protected data is used within the organization and transferred outside of it. This provides a starting place to identify where additional consent may be required and to facilitate any required modification or deletion of data.
DJ: Several states, including Massachusetts, New York, Hawaii, Maryland, and North Dakota, have passed their own privacy laws in the wake of CCPA. How do these laws differ from each other, if at all?
Rubinstein: State-level privacy laws that have been passed or are currently moving through the legislature can differ in a variety of ways. Some of the most common differences include:
● Definition of Protected Data: Privacy laws commonly define types and categories of data covered by the law. However, the details of these lists can vary from one regulation to another.
● Rights Granted to Constituents: The right to access collected data is a common right under the new privacy laws. However, while most grant citizens the right to deletion (a.k.a. the “right to be forgotten”), the right to correct inaccuracies is not commonly included.
DJ: How can organizations comply with all of these different measures?
Rubinstein: A number of different data privacy regulations exist, and each of them have their own unique requirements. However, the core of these business responsibilities boil down to a single requirement: businesses need to have visibility into and control over the consumer data in their care.
Achieving this visibility and control is the first and hardest step toward compliance. To learn more about how to start this process, check out our ebook on accelerating CCPA compliance.