CCPA: Can Your Business Analytics Put You At Legal Risk?
Updated: Mar 4
Does the Information Your Business Algorithm Produces Have a Legal Impact?
It’s all about prioritization.
When designing your information governance strategy it may seem as if Europe and its General Data Protection Regulation (GDPR) are too far away to factor into your plans. But what about a law that came into effect on Jan 1, 2020 in the US state with the largest GDP?
If you buy or sell data on more than 50,000 customers in California, the California Consumer
Privacy Act (CCPA) is something that can’t be ignored (save for a few carve-outs). And even if you don’t have business in California, other states are following their lead with numerous privacy bills proposed – there is even legislation moving at the federal level (COPRA[i]) to bring welcome consistency. Privacy regulations are going to be a key part of the business compliance landscape in the coming future.
The CCPA covers much of the same ground as the GDPR, but for those who read carefully, there are some new and notable items that will be of interest to your compliance team. We all know that a name, address, email, or Social Security number count as Personally Identifiable
Information (PII), but what about a credit score? Whereas the GDPR identifies “personal data”
which can be used to identify an “identifiable natural person,” it specifically indicates that the
“data subject” would need to be identifiable by the data. This would be, for instance by a name, an identification number, location data, or an online identifier.
The CCPA, by contrast, has a special category of PII called an “inference”. These are “inferences drawn from any of the information identified… to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.[ii]” So a score that indicates whether a customer is a credit risk would be inference PII, as would be an identifier that indicates which products the consumer would likely be interested in buying.
One thing that is not as well developed in the law is the “probabilistic identifier[iii]”. Part of its
definition stipulates that it must indicate a probability greater than 50% that an action, such as
making a purchase, will be taken. This type of score seldom reaches a 50% likelihood of
predicting something and would be considered useful at probabilities far less than that (imagine if you could identify that a customer is 10% likely to purchase something on a site, many companies would advertise to them.) However, if the probability does near 50%, even if it is not derived from PII (say from customer clickstream behavior on your web site), it would be considered as such by California law.
So, in the case of a customer request, your company needs to identify all the CCPA affected data, which may be a broader range of information than you think. You will need to identify that data to comply with two types of requests. The first is just a request to see what types of data are compiled, inferred, or calculated by your company. The second is more onerous - the right “to be forgotten.” This asks that data which is PII that is not in one of the excluded categories to be deleted.
This “please forget me” request has the greatest chance of breaking business logic and
databases if you are not careful. The information governance that is needed to manage the
identification and removal of data is just good medicine in general, though often not in place. This kind of governance contributes to allowing you to value your information properly – regardless of whether or not the information is considered PII. The side effect of good governance (derived from compliance with the law) can, with a little effort, be a boon to your company.
To get help putting together an information governance program for CCPA or just for better
resource allocation and information hygiene, don’t hesitate to drop infoedge a line.
[ii] CCPA, Section 9.o.K
[iii] CCPA, Section 9.p