Is the California Consumer Privacy Act Really Going to Make a Difference?

The March meeting of the Los Angeles chapter of the Information Systems Audit and Control Association (ISACA) dove into the topic of the California Consumer Privacy Act (CCPA). Without going into detail, this legislation is the GDPR of California. Organizations that handle over 50,000 consumer records and do business in California need to be able to (among other things):

  • Provide individual consumer data in a portable format to any consumer that requests it.
  • Delete all data for any consumer that requests it.
  • Other stuff.

Regardless of the exact details of the CCPA, what I found myself wondering throughout the 90-minute, thoroughly engaging panel discussion was this: Is the CCPA protecting us from something we really don’t care about being protected from? Much like the TSA, is CCPA (and similar privacy laws like NY, Penn, Mass, GDPR, etc.) creating a raft of processes and heaping overhead that, ultimately, doesn’t do much of anything to make people's lives better or safer but, instead, levies often burdensome costs on businesses?

In the long-term, could legislation like this also potentially serve to reduce earnings per share and shrink business investment in people and infrastructure, both of which ultimately lead to reduced GDP?

While I’m not sold one way or the other yet, we can approach the issue in a number of ways to at least get our arms around it.

If We Value Our Personal Information So Greatly, Why Are We So Free to Share It?

We all typically (but to different degrees) feel like our most personal information should be just that: personal and private. If it’s going to be shared with anyone else, we want to be the gatekeepers of that sharing and give our OK explicitly for doing so.

Yet today, because we frequently opt in to a myriad of “free” social media platforms that leverage our personal data as currency in exchange for their services (but also because the deluge of high-profile breaches tend to numb us to any given breach’s possible negative effects), we freely and willingly — and nearly daily — acquiesce in the delivery of our personal data to organizations that may or may not handle it with the level of security and propriety we would want.

Privacy laws like the CCPA attempt to dictate how companies will handle our data, hopefully in ways we would agree to, and ostensibly to protect us. But consumers have shown themselves to have extremely short-term memories. Despite the severity of a breach, months or weeks or days later, we run back to give away our personal data in return for the perceived benefits of the app du jour.

In the end, I believe the fines aren’t enough to dissuade firms from using our data in ways we don’t agree to. After all, compliance with any regulations, laws, standards, etc., is a business decision because if the cost of complying is less than the benefits of doing non-compliant business, non-compliance will (usually) always win. So, we either need to ramp the fines up super high or make handling consumer data well a profit driver — or just stop caring and adjust our expectations for data privacy in the 21st century.

Are We Actually Preventing Bad Things From Happening?

Regardless of our nearly endemic willingness as a society to give our data away in return for services — and my calling the very value of data protection into question at the top of this post — there are very real negative effects of data being misused.

On the smaller end would be using an individual’s data to steal from them — for example, emptying their bank account. Then we get into things like insurance fraud, like submitting a falsified claims file to Medicare to get paid for services that didn’t happen, or corporate espionage, like stealing trade secrets. Finally, we have societal-level negative impacts, such as one government interfering in the political processes of another using data, or a government using data to oppress its citizens.

No one wants any of these things to happen, just like no one wants a security incident on a commercial airplane. The issue isn’t whether these things are bad and should be prevented if possible. The issue is whether the measures we’re using (CCPA, GDPR, etc., on the one hand, TSA on the other) actually do anything substantive to address the problems or not.

Let’s Make a Business Decision

There’s no clear answer to these issues, but I think the best thing everyone involved can do — from individuals, to corporations, to state and local governments, to the federal government — is to make a business decision about privacy and how best to protect it. What are the costs of continuing to do what we’re doing now? What are the benefits? What are our options for doing something different? What are the costs and benefits of doing those things? Are any of them worth it?

Will it be easy to make these decisions? No. But at least attempting to do so will lead all of us to make more informed, eyes-wide-open decisions about privacy — which will ultimately lead to better outcomes across the board.

A version of this post originally appeared in CMSWire.

New call-to-action

Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.