A judge sitting at a desk with a wooden gavel on it. The judge is signing a bill into law - Data Privacy Concept
PHOTO: Shutterstock

Seems like it was just yesterday that GDPR was introduced and here we are on the eve of the California Consumer Privacy Act (CCPA). We have already seen in the past couple of months that many organizations are unprepared for it and even less so for California’s Internet of Things (IoT) Security Law, which is also set to go into effect Jan. 1.

So what is likely to happen? This is probably going to be the big question in the data privacy space over the next year, especially given that many are predicting that CCPA will become the basis of other laws in other states. However, there are sign posts as to how enterprise might manage the new act and indications of how companies are going to respond. The big sign post is, of course, the response to GDPR itself and there is quite a lot of information about that already.

Take the McDermott Will & Emery research Keeping Pace in the GDPR Race: A Global View of GDPR Progress carried out by the Ponemon Institute, which surveyed a total of 1,263 organizations for the research.  It showed that:

  • Almost half (46%) of respondents said their organizations had an average of about 2 reportable data breaches since GDPR went into effect.
  • Only one third of respondents reported that their companies have insurance that covers cyber-risk.
  • 37% of surveyed global organizations reported cyberattacks since GDPR went into effect.

While this all appears quite negative and doesn’t bode well for the future, there are some positives that have appeared in the research on the US specifically. It showed that:

  1. More than half of respondents in US organizations apply GDPR data subject rights to both US and European employees. Fifty-seven percent of US respondents say their organizations apply the requirements to both US and European employees because they want to take a global approach, while about half of these respondents (49%) believe it is required by the GDPR.
  2. Forty-six percent of US respondents say compliance with GDPR has helped define the strategy and overall approach to their compliance with the forthcoming (CCPA) and other US state privacy laws, while 30% of European respondents say this is the case.
  3. Forty-three percent of US respondents and 33% of European respondents say compliance with the CCPA and other US state privacy laws will cause their organizations to re-evaluate their compliance position under GDPR.

If one of the outcomes of the introduction of CCPA is general compliance with GDPR and CCPA then this can only be a good thing as it gives US companies operating in Europe the tools they need to avoid falling foul of regulators in the EU.

Related Article: GDPR: What You Need to Know About the Right to Erasure

Non-Compliance Is Costly

But it’s not all good. San Francisco-based InCountry has also produced new research on the relationship between CCPA and GDPR, which, by way of warning to companies on both side of Atlantic who might not be taking compliance seriously, shows that to date companies have been forced to pay huge fines — Equifax will pay at least $575 Million, British Airways settled for $230 Million and Uber for $148 Million.

And countries are paying attention. Already 127 countries have some type of personal information regulation. The result is that for across the globe, countries are asserting digital sovereignty by regulating how the internet operates within their respective jurisdictions.

The EU’s GDPR — hailed the as the most consequential regulatory development in information policy — now serves as the model for other countries that are developing or beefing up data protection laws.

In fact, InCountry talks a lot about Splinternet, which it says, has sparked debate about freedom of speech, right to privacy, national security and surveillance states. As internet regulations proliferate, another dimension of splinternet is emerging: the end of international digital trade as we know it. In a Wall Street Journal article at the beginning of November InCountry CEO Peter Yared, describes the current state as follows:

“People in compliance, information security and technical operations departments are starting to sweat a little bit right now…It hasn’t quite hit business leaders yet that they could face large fines or be ejected out of large markets like India.,” he added.

Elsewhere, in an InCountry blog, he added that as regulations enter the enforcement stage, businesses––particularly those dealing with data in multiple jurisdictions––will no doubt face the existential threat to be in compliance or be ejected…companies are struggling to understand local requirements, purchase or rent servers, hire staff and deploy new software to comply with a panoply of emerging (and often fluctuating) laws.

CCPA In The Future

So what is going to happen with the CCPA? It’s difficult to see, but San Francisco-based Segment CEO and co-founder Peter Reinhardt says there will be three major trends in the coming year. For context, San Francisco-based Segment is a data infrastructure that helps companies like IBM, Atlassian, Glossier and to control and manage their customer data to create unique experiences for consumers without compromising their privacy. Its latest figures show a valuation of $1B and recently raised a $175m Series D funding round last April

1. False Panic

Most companies will do the bare minimum until the government starts enforcing it. That won’t happen for at least six months, and when it does, we’ll see a mad dash to become compliant — which will cause more problems as companies rush and make mistakes. This is the pattern we’ve seen with GDPR.

2. Third-Party Data

Companies won’t stop using third-party data until enforcements start: CCPA will require companies to stop using third-party data, obtained from data brokers for example. Only when CCPA enforcements start happening will these companies stop relying on third-party data, at which point they’ll have to switch to more inbound approaches that attract people based on adjacent content.

3. Data Collection

Many tech companies will continue to be unapologetic about the collection of data. It will be business as usual for companies that rely on third-party data as they will continue to collect and use as much data as possible to improve their UX.