I confess that the California Secretary of State’s announcement today, which affirmed the CPRA (or “CCPA 2.0”) will be put to public vote this coming November, and take effect as soon as next year, caught me by surprise.
When debate over its eligibility for inclusion arose, I expected legislators might angle to slow the tide of regulatory advance for California, and, in effect, for businesses across the country.
And I would understand that aim. I’ve seen very clearly the colossal strain that CCPA compliance efforts have placed on teams of all sizes. Ethyca’s technology can certainly alleviate large parts of it, but even key stakeholders among our clients have had to work hard to achieve the organizational buy-in and culture shift required to invest in fully automated privacy.
That’s before considering all the new, unforeseen digital privacy challenges that have been thrown up by the COVID-19 pandemic.
So the news that CPRA will be voted on – and likely approved according to polls – contradicts some of my expectations. However, it reaffirms two key points that I would emphasize to anyone in the business community who is considering whether it’s necessary to invest in privacy. Perhaps they’ll be useful for you to hear too.
First, businesses may be struggling, but so are consumers – and lawmakers want to be seen protecting them. This was a point raised by friend and mentor Danny Weitzner in a recent panel discussion. He said: “In a lot of regulatory contexts, there’s a desire to be deferential to smaller businesses that are struggling, but also, a desire to make sure individuals who are struggling are being protected.” By ushering in a CPRA vote so quickly, I see proof of this point brought to bear. In this new era of mass unemployment, widespread social surveillance, and general unease, measures like CPRA can serve to comfort and reassure the public. In this context, the pandemic may actually accelerate privacy reform rather than suppress it.
Second, a “set it and forget it” approach to building privacy compliance processes will cost businesses in the long run. Adaptive, scalable, technology-focused solutions are the only way to efficiently manage the evolving global privacy landscape. CPRA contains stringent new requirements, redefines the scope of “personal information”, and moves California law closer to a GDPR-like set of requirements. Building systems that could just about manage CCPA compliance leaves businesses in a difficult position now. Are there efficiencies to be realized if you’ve worked to comply with the CCPA? Of course, and even more if you’ve worked to comply with GDPR. But any privacy process that’s been baked-in, hard-coded, or designated for manual remuneration is challenging to tweak on the fly. The advantages of automated, agile privacy, to me, have never been clearer.