There is a small and potentially tumultuous revolution building on the horizon of 2020. Ironically, it’s a revolution very few people on the street are even aware of but literally every single corporation around the globe currently sits in finger-biting, hand-wringing anticipation: is it ready to meet the new challenge of the California Consumer Privacy Act, which comes into full effect on January 1, 2020. Interestingly, the CCPA is really nothing more than California trying to both piggy-back AND surpass the GDPR (General Data Protection Regulation) of the European Union, which was passed all the way back in 2016. In each case, these competing/coincident pieces of regulation aim to do something quite noble at first glance for all consumers: to enhance the privacy rights and data protection of all people from all digital threats, shenanigans, and malfeasance. While the EU legislation first of all focuses on the countries that make up the European Union and the California piece formally claims to be about the protection of California residents alone, the de facto reality is far more reaching. No one, literally no one, thinks these pieces can remain geographically contained or limited. Instead, they will either become governing pieces across a far greater transregional area (the EU case) or will become a driving spur for other states to develop their own set of client privacy regulations (the California case). Despite the fact that most people welcome the idea of formal legal repercussions for corporations that do not adequately protect consumer data/information privacy, there are multiple confusions and complexity hidden within this overly simple statement. As we head into 2020, what should be chief for corporations is not trying to just blindly satisfy both GDPR and CCPA. Rather, it should be about how to remedy these confusions first. However, that elimination is not nearly as easy to achieve as some might think.
First off, a not-so-simple question: what is privacy? It is a bit awe-inspiring to consider that there are many ways to define privacy. When considering GDPR and CCPA, it is essential to have precise and explicit definitions so that corporations can at least have a realistic chance to set goals that are manageable and achievable, let alone provide them with security against reckless litigation. Failure to define privacy explicitly carries radically ambiguous legal consequences in the coming CCPA atmosphere, something all corporations should rightly avoid like the plague. Perhaps worse, no matter how much time you spend defining consumer privacy beforehand, trying to create this improved consumer protection digitally becomes almost hopelessly complicated. The high-technology, instant-communication, constant-access, massively-diversified world we live in today makes some argue that ‘digital privacy’ in any real sense is dead and buried without the possibility for resurrection. If this is true, then how quixotic will it be for corporations to try to meet the regulation demands of legislative projects like GDPR and CCPA if they do not first try to establish both clarity and transparency of terms and goals?
This is not a nihilistic argument just trying to have every corporation around the world throw up its hands in despair and give up on improved consumer privacy and data protection. But note the word ‘improved.’ In order for corporations to realistically provide consumer data protection, the irony of ironies may be that the first successful step will be finally embracing transparency in admitting that ‘perfect digital privacy’ will not and cannot exist. Realistic cyber expectations mean admitting that external threats always have an upper hand over internal defenders. Not because they are more talented or more committed or more diligent. But because what it takes to successfully perpetrate a threat is far simpler, quicker, cheaper, and easier than what is necessary to successfully enact a comprehensive defense program that can answer those threats and remain agile, flexible, and adaptive far into the future.
The broken glass analogy helps illustrate this conundrum. I am in charge of protecting 100 windows from being broken. But I must protect them from 1000 people coming toward me with rocks. Ultimately, it is far easier for the 1000 to individually achieve a single success (breaking a window) than it is for me to achieve success in totality (keeping all 100 windows intact). The resolution, therefore, is transparency: there is greater chance of ‘success’ for the chief actors (namely, me as defender and the client as owner of the windows) if I can be liberated from the impossible futility of ‘perfect protection’ and set a more realistic definition of protection as ‘true success.’ As long as there are recovery/restitution processes in place (replacing/repairing a broken window), then ‘success’ should be legitimately defined as a percentage less than 100. This is the same for corporations dealing with clients/consumers in the new world of 2020 CCPA: if the idea is that these pieces of legislations finally make corporations commit to perfect digital privacy and such perfection is the only definition of success against which they can measure themselves, then 2020 will be nothing but a year of frustration and failure.
The funny thing in all of this is that the EU legislation somewhat admits the above. Consider the seven principles of data protection as laid out by GDPR:
- Lawfulness, fairness, and transparency.
- Purpose limitation.
- Data minimization.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality.
- Accountability.
Nothing in these seven principles would bring about the establishment of perfect digital privacy or sets the expectation that failures in consumer protection must never occur. But they do hint at a darker secret underlying the European concept of client privacy that sits in contradiction to the very essence of American economics.
When people call CCPA the ‘almost GDPR,’ it is hinting at how the spirit of the two legislations are somewhat diametrically opposed to one another. The EU crafted GDPR under strong social democratic norms that encompass many of the core member governments. As such, it is most decidedly not legislation engineered to first protect the sacred right to free market business enterprise and a fundamental belief in the market to solve its own problems. Rather, GDPR has within it, implicitly, a questioning skepticism about the core priorities of major corporations and the belief that governance is the only way to make free-market economics work fairly. As such, GDPR is not just about protecting consumer data and information privacy from hackers, outside agents, and foreign actors: it is alsoabout protecting consumers from “untrustworthy corporations” themselves. This is something that should not infuse the CCPA (whether it does or not is yet to be determined and 2020 will therefore prove to be a very interesting judgment year). Because while California is staunchly to the left on the American political spectrum, it still operates as a constituent member of the US, the most fiercely protective country of its capitalist roots and belief in the sanctity of the free-market system. As such, government regulation in the EU that works for consumer privacy protection will not be looking at corporations as a willing or even necessarily helpful partner in a joint initiative. American government regulation should and must. As time progresses, if CCPA proves itself to be too close to GDPR, to European as opposed to American market norms, expect to see other states in the US create competing legislation. And even if those competing pieces aim to create a more ‘American’ conceptualization of consumer digital privacy as opposed to ‘European,’ what it means in real terms for corporations is yet more competing standards to try to synergize and make sense of. Thus, executive leaders in charge of information security in 2020 are going to need to have critical reasoning and analytical research skills far more than they ever have in the past.
In the end, protecting consumer privacy and providing client data protection is an essential, proper, and critical element for doing business in 2020. Legislation like GDPR and CCPA are meant to help provide an acknowledged framework for all actors to understand the expectations and consequences of the success/failure of that mission. Having such protocols is a good thing. But when protocols do not recognize reality, skip over crucial elements of clarity and transparency, hide some of the futility that likely cannot be overcome, and ignore their own competing contradictions, then those protocols might end up providing more problems than protection. What corporations must do, as they head into 2020, is not blindly follow CCPA. Nor should they facetiously do superficial work to achieve ‘CCPA compliance’ while not really providing ‘privacy.’ What is most crucial is innovative executive thinking, where new analytical minds are brought in to positions like CISO (Chief Information Security Officer) that are intellectually innovative, entrepreneurial, adaptive, and agile in how they approach the mission of privacy and security. Traditionally, these positions have often been hired from very rigid and orthodox backgrounds. The enactment of CCPA in 2020 means it might be time to throw that hiring rulebook out. In real terms, the injection of new thinking, new intellectualism, new concept agility, and new practical backgrounds will be crucial for all information security leadership positions. Failure to do so will not just be the death of privacy, but the crippling of corporate success in the client relationship experience.
