Remember when the ad industry glommed onto the phrase “Data is the new oil”?
Well, sensitive data is crude oil, at least from the perspective of any marketer who might want to collect and use it. The process of refining crude oil is dangerous and should be conducted with extreme care.
That’s not a perfect metaphor, so sue me. Although, lawsuits are more likely to come against companies that fail to handle high-risk data properly.
Risk regs
Processing sensitive data such as biometric information, precise geolocation, children’s data and information that could reveal a person’s race, sexual orientation or health diagnosis is considered a “high risk” activity under most state privacy laws.
Some state privacy laws, including in Connecticut, Virginia and Colorado, require businesses to conduct a separate privacy impact assessment, which is like an internal audit to make sure data is being handled properly for any processing that presents a heightened privacy risk.
But, in California, the requirements are even more stringent, with two separate types of assessment: one from a cybersecurity perspective and another to determine whether the processing of personal data could present a “significant risk” of consumer harm.
“You have an obligation to do due diligence on all of your vendors above and beyond what’s in your contracts,” said Richy Glassberg, CEO and co-founder of privacy compliance tech provider SafeGuard Privacy. “And when it comes to sensitive data, you really have to do so.”
As of now, the specific requirements for how to conduct these assessments aren’t finalized, and the California Privacy Protection Agency (CPPA) hasn’t yet started its formal rulemaking process.
But it did draft cybersecurity and risk assessment regulations on its website and discussed them during its most recent board meeting in early September. The preliminary comment period closed in March, but the CPPA will collect more feedback on the drafted regs as they circulate.
It’s a long road, though.
Once the regs are finalized, it’ll be a year before they can be enforced, said Daniel Goldberg, chair of the privacy and data security group at Frankfurt Kurnit Klein & Selz and co-chair of its ad tech group.
Can’t be too careful
Putting aside the bureaucracy of it all, what do ad tech companies need to know about the risk assessment rules the CPPA is establishing?
The most important thing to remember, said Julie Rubash, chief privacy officer and general counsel at data privacy software company Sourcepoint, is that the requirements – while important to follow – will not be new to anyone who hasn’t been living under a rock.
The concept of conducting a risk assessment should be familiar to any company that’s been exposed to GDPR and/or has been working on compliance with certain regulations in the US, Rubash said.
“I actually think it’s going to be beneficial for companies because it helps lay a foundation for your entire privacy compliance program,” she said. “This is really something companies should be doing internally anyway, regardless of any regulation.”
Still, businesses should always consider the nuances between different data privacy regulations, of which there are already 12 in the US alone (not counting Washington state’s My Health, My Data Act, which is specific to health-related data).
“Companies may be able to rely on impact assessments conducted pursuant to other privacy laws,” Goldberg said, “but should review the specific obligations under the draft regs to ensure compliance.”
Not that enforcers are necessarily waiting to pounce on companies that make good-faith efforts at compliance.
The California attorney general, which has been enforcing the California Consumer Privacy Act while the CPPA is drafting regs for the California Privacy Rights Act, is usually pretty fair in its dealings, Goldberg said.
“In my experience, the California AG’s office has taken action against companies based on alleged substantive violations as opposed to ‘gotcha’ technical violations,” he said, noting that both the AG and the CPPA will probably approach enforcement of the new regs in a similar way.
But we’ll only really know once enforcement of the CPRA begins in March of next year. Because past practice is not always a predictor of future behavior.
“Things could change at any time,” Goldberg said.
As always, thanks for reading! And if there’s anyone you can trust with your sensitive data, it’s Dr. Fluffy. Feel free to drop me a line with any feedback at [email protected].