How citizen ownership of data impacts business going forward

Is California's Consumer Privacy Act of 2018 (CCPA) poised to become the new standard in the United States?

What a wild last few weeks it has been for the state of California. The California Consumer Privacy Act of 2018 (CCPA) is California’s response to the privacy standard set by the GDPR. It should have been expected from the state home to the major players in tech.

California has essentially defied expectations, including my own, and made their position on data ownership clear. Citizens own their own data. For Europe this was implied by past policy and innovations coming out of the region, but for the US this was unheard of. Senator Richard Blumenthal had stated during the Cambridge Analytica hearing that “Americans deserve no less privacy than Europeans…”

The CCPA implies who the bill is intended for: data aggregators, processors, sellers. According to section 1798.140(1) companies that must comply with the bill must meet one or more of the following requirements:

  • Generate $25 million in gross annual revenue or more
  • Handle data of more than 50,000 people or devices
  • 50% or more of revenue comes from selling personal information

These facts are important as the legislation clearly targets very specific economic actors and not the whole of California’s economy. Most small and medium sized businesses will not be impacted. In fact some major industries will not be impacted by the bill, except the tech industry.

As I discussed in "How GDPR impacts US cybersecurity policy,", I believe the CCPA privacy is going to become the new standard in the United States. While the CCPA does not mention privacy-by-design like I did in that article, it will be the underlying requirement in order to be in compliance with the CCPA. Businesses can expect more elements of the GDPR to slowly make their way into state policy. California’s legislation is just the start.

The response and impacts

The question of data ownership has been answered and the general public seems to agree with it. So how has the business community responded to the new regulation? Well it has been mixed for the most part.

Some groups have been praising the regulation, while many tech giants have expressed their opinions by lobbying with the aim of weakening the legislation. This is mainly because the regulation is going to have a tremendous impact on current business models for firms that rely on data as a source of revenue. With others already considering California as an inspiration for the “privacy movement”, which has implications for every business across the country. So, what impacts does citizen ownership of data have on modern business? Assuming that data ownership would be applied with a broad stroke similar to the GDPR, how would this impact US companies?

Impact 1: marketing and sales

Marketing and Sales are among the most highlighted functional areas of business affected by clarification of data ownership. Modern marketing practices rely on personal data and metadata to create very precise and targeted campaigns.

The supply chains to carry out effective inbound marketing campaigns rely on a number of third parties. Additionally, some businesses, such as Facebook, and smaller businesses sell user data as a core part of their business model. The sales team, who often works with the same data, is now limited in categorization and communications. Depending on the organization, this may completely dismantle inside sales teams. When the last few decades of business have been built up on ambiguity, clarification equates to severe disruption.

Companies will need to determine what personal data, if any, is critical to carry out the mission of the organization. In most cases for marketing, personal data does not have to be used to develop strong consumer profiles. Old habits die hard though and it’s very likely that most companies will still prefer to use customer personal data and can request explicit consent to do so. However, that consent can be revoked at any time. This uncertainty can be a problem for organizations who are not prepared to process requests from citizens regarding the use of their data.

Impact 2: product development

For companies whose core products depend on personal data there will no doubt be disruption to their ability to continue on. These companies may feel much more threatened by the CCPA and GDPR. Companies who manage personal data from customers may find they will be impacted as well.

For a preview of how large tech companies such as Facebook, Twitter, and LinkedIn will manage their product it may be best to look at how they responded to the GDPR when it went into effect. Facebook was prepared to create a two-tiered level of service, where they created a specific tier of service that was in compliance with GDPR for their European audience.

Facebook and similar tech behemoths can make sweeping product changes quickly because they have a wealth of capital to do so. Startups, who meet the two requirements regarding data volume and revenue source, may or may not find themselves at risk. Those startups with angel or venture capital support will likely have enough capital to make changes and develop their product to be in compliance while still providing value.

The initial stages of product development may not be impacted that much. However, once a product begins to require personal data to deliver on its value then a problem begins to emerge. The CCPA in its current form clearly disrupts any business model that makes its revenues from aggregating, processing, or exchanging data. Products and services based on using personal information are under threat as the value of their product becomes questionable when personal data can be withdrawn at will by a citizen.

Impact 3: IT and cybersecurity

The changes contemplated in this legislation will substantially impact the IT and cyber security efforts of organizations who are required to comply with it.

The potential financial and reputational exposure is substantially higher for breaches and other cybersecurity incidents.  This means that business leaders will need to put more emphasis on their cyber security initiatives throughout their organization or accept facing steep penalties for data exposure in the event of a breach. IT will need to adapt to carry out data requests from citizens in a timely manner.

Impact 4: finance and risk assessment

In the past, the ambiguity of data ownership has allowed many businesses to operate free of regulatory risk. As a result, business models that worked strictly with data were able to pitch their ideas and acquire funding in Silicon Valley with ease.

In some cases, businesses were financed by investors without a functional revenue model. The unrestrained possibilities of working with data alone was enough to secure the confidence of Silicon Valley investors. This will likely come to an end; more assurances will likely be required to win the confidence of an investor for future rounds. This would mean founders may need to prove they understand regulatory risks, strong cyber security considerations/practices, and a rights management plan.

If you are already on your way or fully compliant with GDPR, your organization is well prepared for this and any future data privacy legislation the US will potentially impose on organizations. One thing is for sure, this topic is high priority and will remain so in boardrooms across he US as organizations scramble to understand, prioritize and implement privacy and data security practices meet the requirements of the ever-changing compliance landscape.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline