Following in the footsteps of GDPR, the US is seeing more progressive data privacy laws coming down, with the new California Consumer Privacy Act leading the charge. What does the new law mean for consumers and for companies? What can the US learn from GDPR? F-Secure’s Timo Laaksonen, who previously headed F-Secure’s consumer business in North America, and Hannes Saarinen, F-Secure’s data protection officer, stopped by for Episode 32 of Cyber Security Sauna to discuss the new CCPA and compare and contrast it with GDPR.
Janne: So the new privacy law is coming to California in 2020. It’s called the CCPA, California Consumer Privacy Act. Can you briefly summarize it for our audience?
Hannes: So, CCPA, California Consumer Privacy Act, which extends far beyond mere consumers, is one of the first steps in US legislation to give the California residents the capability to know how their data is being collected, what it’s being used for, and most importantly, to whom it’s being given.
All right. So how close is this to GDPR?
Hannes: The GDPR and the CCPA, they are both general aerial legislation, which means that they are both trying to cover not merely one specific sector, but more like all the data processing you have. The CCPA, however, is more narrow, in the manner that it has areas either entirely excluded, or they are delayed, for example, by one year so that the practitioners would have more time to accommodate those changes. But basically the logic is to give baseline privacy protections to California residents.
Right. So Timo, what’s your take on this? Is it going to be any good?
Timo: I think it’s a giant leap in the right direction, absolutely. One difference from GDPR is that there was quite a lot of preparation time for companies to get ready for GDPR, whereas this –
And still some did not make it.
Timo: Yes, that’s right. But with regards to CCPA, it’s going to kick in on January 1, 2020, which gives very little time for companies to get prepared. And there’s still a little bit of uncertainty around is it going to become the standard, the regulation to abide by? As there are some rumors about federal regulations being under preparation. It’s very unlikely that those will see the light of day before the end of the year.
But anyway, very little time for companies to react and get ready. And also, is this a good move? Like I said, absolutely this is a good move. And it goes to greater lengths than maybe some of the industry players would like to see it go.
Yeah, there’s been reporting that Silicon Valley is nervous about this act. Are they right to be?
Timo: Yes, absolutely. Zack Whittaker from TechCrunch, he wrote an article and he said that they are scared, and they should be. For the reason that they actually have to take these commitments very seriously. What to collect, how to use it, and how are they sharing it with third parties. It’s pretty creepy these days, how companies have different levels of, let’s say, internal regulation to how they store data, how they share it. Cambridge Analytica, of course, being a very blatant case of abuse, but if you just look at the number of consumer breaches taking place practically every week that affect consumers in the US, it’s devastating.
So naturally what I’ve done is that I’ve registered myself into Have I Been Pwned, which is a site that looks after consumer breaches and shares information to you about the fact that your data has been leaked. I get notices like this every single month practically.
Yeah, there’s other services out there as well. I think Badrap.io is a very popular one.
Hannes: What I like about the US approach to legislation and why the Silicon Valley companies are all concerned, is that the US is constructing legislation where the pain is. The US was light-years ahead of Europe when it came to breach notification legislation. And also with the CCPA, it’s hitting the data transfers that are happening, especially that are happening in the web with web profiling companies whose names most people don’t even know.
So this is not so much anti-Facebook legislation, because Facebook has all of this data directly from you, it doesn’t need to share it so much with anyone, but to all of those less-known companies who are actually behind the profiling activities you have on the web.
Timo: Data brokers, who are completely anonymous practically, in the background. Nobody knows their names, but there are companies who are behemoths in their own area and they combine data from different sources, thanks to the relaxed capability to share data between sites and services, which makes them very very powerful.
And then when you do browse the web and you use certain services, and you see something that you find creepy, like, I just said something or went to some site, and already here an hour later, I can see something that must have been known in the background, and data has been shared, or something weird is happening in the background. But you don’t know what. Most likely some of this can be stopped.
And just to put things into perspective, these companies who are tracking you, as said, you know if you log onto Google, or Facebook or Twitter, everybody understands that they know who you are. But these are companies who are the next level down. For example, a couple years ago I was preparing a presentation to make this a bit more concrete for the audience. So I turned on what we call a tracker mapper in our VPN product Freedome. And I was browsing a website for maybe 12 or 15 minutes, and then I turned it off. And there were roughly 100 trackers, or companies who tried to track me, within 12 to 15 minutes of browsing.
And those are the companies we are now talking about.
Timo: And there were some that you would know about, but there was a large number of names that I had never heard in my life. And I think that it is fabulous that there is going to be legislation that is going to put some order into this chaos.
You know, when you say is this a good move, I’d say that pretty much the biggest thing is that consumers don’t know how their privacy can be protected. And they’re looking to regulators and lawmakers and the industry to do something about it. Now, this is a good move to help the consumer be better protected and their privacy be better protected in matters that they don’t really understand how they can take action.
Hannes: I still do actually applaud the California legislation that they are actually ahead of the curve. How it’s going in Europe at the moment is that we have a GDPR in place, and only now Europe is trying to sort of come up with this specific legislation called e-privacy regulation, which is currently stuck in the legislative process. Partially because it’s difficult to legislate under the European structures, and also because there is a huge amount of lobbying from these same tech giants in the European parliamentary lawmaking.
What actually the CCPA is doing is it takes note, as Timo mentioned, to the fact that you don’t really have privacy on the web nowadays. And that’s the pain it’s hitting on, and it’s actually hitting where there are relevant privacy impacts to individuals at the moment.
That makes sense. But since the intended targets of this act are largely unseen and anonymous from a consumer point of view, what, if anything, will consumers notice when the law comes into effect?
Timo: My view is that it does hit also companies that we do know. You know, the service providers whose names we can recognize. They need to be more careful with how they collect data, how transparent they make it. There’s been a lot of effort in past years in the US by privacy experts within service providers to make sure that the transparency of what they collect and how they use it has been taken care of in a better way. But not necessarily everybody has done that. You know, it’s been a competitive differentiator potentially. Now it’s going to be regulated. So that’s good. So everybody has to be on the same level and play in the same playing field.
When it comes to the anonymous players, absolutely. That’s something that the consumers don’t most likely even realize. Well, they realize that something fishy is going on, but they don’t know what. I think that the biggest thing here from a consumer point of view that they will realize is that they will get more control over their privacy than what they have before.
Yeah, like you were saying, it’s long overdue. So is the situation already out of hand? Is this measure too little, too late?
Timo: I never want to be as pessimistic to say it’s too little too late. I think this is a good dose of regulation that is coming into place. Is it too late? It would have been fantastic to have it in place earlier, absolutely, but this is good.
Akamai ran a study amongst about 1000 consumers in the US in 2018, and one of the things was that they were asking for ideas of how do you think that my privacy could be improved? And about 50% of the respondents said regulation.
Yeah, consumers are not trusting companies to behave in an ethical way themselves.
Timo: And self-regulating. Precisely, spot on. And if you look at the US, it’s not a country where consumers necessarily love regulations, right? But in this area it is a complex area, it’s very difficult to manage, to understand technically. There’s a level of helplessness. And that’s like the worst feeling. If people start feeling desperate and helpless, they’re like, whatever I do, I can’t fix this. So maybe there is such a level of desperation right now that even regulation is seen as a positive thing. Which is good.
Yeah. There’s also new privacy laws being proposed in New York and other states. How complicated is it for companies doing business in the US to comply with state-by-state privacy laws, rather than one set of laws at the federal level, like we almost have in Europe?
Hannes: State by state compliance, that’s horrid for any company trying to be compliant with applicable laws. So what we are probably seeing the first steps of in the USA is that in the absence of federal privacy law, there will be numerous privacy laws in each state, which is what Europe was from ’95 to 2018 prior to GDPR. And when you have a company doing a multi-state business, then effectively you end up being in a situation of which laws do I breach? It’s impossible for you to manage the compliance of all of those slightly different laws.
So under that purview it’s kind of understandable that for some players, the federal privacy law would be what’s preferable to having other states looking to California’s lead and having their own privacy laws.
If the general mindset in the US is not very pro-regulation to begin with, I’m sure it’s even less pro-federal regulation. Do we know if there is federal regulation being considered on this?
Timo: Yes, there is. There’s been a report that a committee of the Senate has submitted at the beginning of 2019 on the need of the privacy law and that’s been accepted as a report. And on the basis of that, there is apparently preparation going on for regulation. We don’t know what kind and when. If past legislation and recent moves by the current administration are to be judged by, it’s likely to be more relaxed than what California has stipulated right now.
And there is heavy lobbying that took place over in California by tech companies to make it more relaxed. Largely they’ve failed, and now they’re lobbying the federal lawmakers to put in place federal laws that might be more relaxed. So if they lost the California battle maybe they can win on the federal front. I think there is reason to believe that this is precisely what is happening.
Everybody naturally conveys a message to the public that “We’re for privacy and we want to protect your data,” but hey, don’t be fooled by that. Everybody’s making business on your data. That’s their business. And they want to be able to do that also in the future. And what they’re saying is “Let’s innovate new services and provide you better services.” Which means, we will profile you even further and use that in all imaginable ways to do more business out of your –
Yeah, unimaginable ways as well.
Hannes: And it’s proof that the California Consumer Privacy Act is really scaring the businesses, because if they’re lobbying federal privacy laws, then that’s a whole other ball game. The major difference between the state legislation and federal legislation is also the fact that the most likely candidate who would be overseeing the enforcement of the federal legislation is the FTC. And the FTC really has teeth on the enforcement side.
Much has been spoken in Europe about GDPR-based fines, but if you look at the fines levied against Facebook recently, then any GDPR fines imposed to date pale in comparison under the huge fines that the FTC imposed against Facebook for its numerous privacy breaches.
Who exactly is the body enforcing this law in California?
Hannes: The California attorney general is the authority who is overseeing the enforcement of the law. It varies from the European perspective, in that in Europe you have these data protection authorities who can then impose fines based on GDPR, and use the other rights they have, but they are otherwise sort of hamstrung with the other capabilities.
So it’s interesting to see which way the enforcement goes, as the attorney general obviously has all of these other items also to investigate. But then again, the attorney general has preexisting experience for how to use the litigation procedure. So once they focus on something, then it’s much easier for them to bite. Whereas the DPAs in Europe, you can expect that they will sort of look at everything, but whether they are willing or capable of reacting to everything, that’s a different matter.
Speaking of fines, the CCPA penalty is up to $7500 per violation. What does that mean, and why does it sound so small?
Timo: It sounds laughably small, if you think about litigation in the US overall. I honestly do not understand how the fine can be that low, but there’s also a clause that states that the consumer can sue the service provider for $750 of penalty per breach or misuse of their data. If a company serves one million consumers, one million times $750, worst case scenario, is $750 million dollars. Now that is big.
So that’s sort of per person affected, and not per breach.
Timo: It’s per person affected. So if there’s a class action lawsuit for instance, and one million people join forces, then that is a lot of money. Which naturally, the $7500 is a joke. That is the fine from regulators, most likely, but you know, this requires a lawsuit. So it’s not automatic.
Okay. So the fine, the $7500, is per breach, but you’re talking about how the class action suits are the real stick here.
Hannes: By the way, just to give one additional comment, it’s not actually necessarily a joke. It’s not per breach, it’s per violation.
What’s the difference?
Hannes: What is a violation? If I am an email spammer and I spam all of that information to 100 people, is that one violation or 100 violations? So you may have multipliers based on these violations, and then it really starts to kick in.
Timo: But I would say the difference to GDPR is that GDPR in a way stipulates very clearly automatic fees and sanctions, whereas this one requires consumers to take action. If there’s a class action lawsuit, it is typically made quite easy to join one, so you don’t have to take action yourself. So there is a difference. But this can be meaningful. So I would say that yes, potentially this has very sharp teeth.
Hannes: Yeah, and also to continue on the idea of class action lawsuits, the privacy harm is notoriously difficult to measure. And it has been even more difficult for any class action to actually file a successful claim, since you don’t have any actual law that the internet culprit would have been offending.
Now that you actually have a CCPA, you can say that “These are the clauses the company has been in breach of, consequently I have been violated, and hence we have this class action.” It’s so much easier to create a class action lawsuit and base those damages on something. Especially as with the CCPA or a federal law, you start to have these other verdicts on the same law which are establishing what is a given level of damages awarded for a given behavior.
Timo: You asked earlier about the difficulty for businesses to comply with a law that is enforced in Massachusetts, and there’s another one in California, another one in Oregon and so forth, how difficult it is. Yes, I concur with Hannes. It is challenging, but what has happened to a certain extent with GDPR and American companies is that the ones who have had to comply with it, the ones who have business in Europe, have actually started also applying it in the US and used that as a competitive differentiator. That’s a nice thing to see.
Yeah, and to turn that around, when I’m seeing US companies who are refusing service to me because I’m a subject to the GDPR, it raises the question like, why should anyone trust you, if you don’t feel you are up to that level of security, where do you set the bar?
Timo: That’s right. We’re a bit creepier, so we don’t want to comply.
Timo: That’s one way to go about it, but you know, the point is that if companies see a potential competitive differentiator in the way that they collect and use and share consumer data, and complying with the tougher legislation, for instance, California. Which then may be harder than in some other states. Then that may be a positive in a consumer’s eyes.
How much overlap is there between these pieces of legislation, the GDPR or the CCPA or the state legislation? If you’re compliant with whatever the highest level of these is, are you also compliant automatically with everything else?
Hannes: If you’re compliant with GDPR, you’re compliant with almost all of the stuff in the CCPA. The most notable exception is the right to object to the sale of your information. That’s the only real major differentiator you have between GDPR and CCPA in that direction.
Obviously the CCPA has less obligations and less scope than GDPR. It doesn’t have all of the same data subject rights, it doesn’t require a specific justification for collecting personal data, it doesn’t impose the role of the data protection officer to companies, and multiple other stuff that you have, international transfers and so forth. So it’s kind of a GDPR-lite but it’s a purpose-built GDPR-lite, when you speak about CCPA.
Timo: Now, looking at the different activities going on in the different states in the US, California and Oregon have perhaps been the first ones to put legislation in place. But there is work going on in Arkansas, Illinois, Maryland, New Jersey, Texas, Utah and Washington also. So yes, there is work going on. And these are mostly related to the responsibilities that companies who hold consumer data, how they are made responsible for informing customers about data breaches. So that’s a good thing to have in place, but that’s like the lowest bar, right? Or one aspect of it.
Sure. Now the GDPR has been in effect for awhile, and we’ve had a chance to learn some of the lessons from it. When the US is considering this or other pieces of legislation, they’re in a great position to sort of pick the parts that work and discard the parts that don’t work. What do we see they are emulating?
Hannes: It’s clear that they are emulating the data subject rights as a concept. Like you have the right for information, you have the right of access, you have the right of deletion and so forth. You have the right of portability. They are not emulating the full stack but nonetheless quite a few of these. And there is also a bit of a rule that when you use a provider to process data for you, then you need to agree on certain items so that the data isn’t used without control by that provider. You can see the stamp of the GDPR all over the CCPA.
If I were to give some advice to the drafters of subsequent legislation, and I’m saying this even if I know this is contrary to the US style of doing very specific legislation, is that nonetheless, it makes sense for the US to try to keep the law feasibly generic so that it can be applied across numerous fields.
Timo: Which is now not the case. So the federal legislation that is in place that has to do with PII, personally identifiable information, is applied to healthcare-related information or financial information. And that’s a bit difficult, because that’s piecemeal. So federal legislation actually would be very good, as long as it’s not watered down.
Hannes: Yeah, and it’s generic enough that you can apply it across all of the areas. You can think about the laws on the sale of goods. Those are very generic, they operate very well, obviously they have hundreds of years of practice behind them. But nonetheless, you cannot regulate the sale of goods on extremely detailed rules that are made on one specific case.
And when the US goes forth and does its privacy laws, it’s good to know that the California aspect is GDPR-modeled ‘strike where the pain is,’ but actually if they want to do something more comprehensive, which doesn’t run into micromanagement immediately, then a bit more higher level view is good.
Okay. The CCPA will be law in California, but what does this mean for companies in Europe who are providing services to US citizens, some of whom may be in California?
Timo: Same way as GDPR. So US companies who have been serving European citizens have had to comply with GDPR. The same will apply to any companies that intend to serve California residents.
So are we going to see banners now that say “We can’t provide this service to you because you’re in California”?
Hannes: Most likely yes, at least in the interim. That’s a good way to buy some time. The other stuff is that the CCPA is targeting larger companies. GDPR applies to everyone, with only sort of minor variations. CCPA has this threshold you have to cross in terms of how many consumers’ data you are collecting, in terms of how much revenue you have. So it doesn’t automatically apply to everyone, and probably we’ll be seeing companies trying to play around with this threshold rule.
Timo: The California law exempts businesses who have less than $25 million of annual revenue, or serve less than 50,000 customers.
Okay. So my website selling kitten pictures is not in trouble until it gets a lot bigger than it currently is. How can companies prepare for the new laws?
Hannes: It’s very basic actually. The same applies to both sides of the Atlantic. So start by doing a data mapping exercise. That came as a surprise to many European companies, that the companies didn’t really even know what data they had, who they were giving it out to, was it actually used for anything.
So this is also the inevitable first step for US companies, if you really want to become CCPA compliant, you have to start by knowing what are your assets. And once you have that somehow mapped out, then simply pool enough resources to a project that can actually tackle it and see it through. It’s going to be much more work than you think.
Speaking of mapping your data, some companies are finding that it’s actually not worth their while to collect all the possible data that they can, that it’s actually more helpful for them to consider like, “This information I need to have and store,” because information is becoming almost radioactive. What do we think about that?
Timo: You know, this starts at home. I’ve seeing F-Secure services being designed on the basis that we want to collect as little data as possible, just to make sure that we don’t have anything we don’t absolutely definitely need to develop our services. That’s just a case. So we tend not to collect anything we don’t require. I think that’s a very good policy for other companies also.
Actually if you’re in the business of monetizing people’s data, you tend to act the other way around. So if you look at the Google statements they’re giving in their websites about what they collect and what kind of activities they follow, it’s practically everything. Every move you make, every step you take.
Absolutely. Now Timo, you’ve lived both in Europe and in the US. So how is the citizens’ view of privacy different in those countries?
Timo: I’d say that what is common – let’s start with that – is that largely, people don’t quite understand what are the technologies underneath that are being used to profile them and collect the data and how it’s being processed and shared. So it’s a tough area for consumers. And in both continents, it’s clear that people don’t quite know what to do by themselves, how they can improve their own privacy.
I’d say that in the European Union, it’s been talked about so much more thanks to GDPR in the past years, what privacy is about and what kind of regulation needs to be in place, that people here are more, I would say generally aware of how regulation can help you and what kind of things does it tackle. This is not necessarily quite at the same level yet in the US.
In the ÙS it’s very much about consumers wanting to have control over their data, and consent-based marketing. So that just the mere fact that I can opt out is already a good step. If you can delete the data as the CCPA stipulates in California the same way as has been regulated over here in Europe, that’s also something that consumers will definitely welcome.
Yeah. I mean, on the other hand, the US has a longer history of conversations about privacy, all the way from the constitution. So the concept of privacy and what can be done and can’t be done to you has a longer history in that country, but it tends to be a conversation about what the government can and can’t do. So companies have had a free reign for a long time. But that’s coming to if not an end, then definitely narrowing down a little bit.
Timo: It’s going to change. I’d say when you look at the US, there are extremely strong lobbies for privacy. If you look at the American Civil Liberties Union or ACLU for instance, just to mention one, they know what they are doing. They understand and they’re very adamant in their efforts to improve the situation.
But if you look at the lobby, or the ones who are very aware of what privacy is about and how it should be improved, it is a very small fraction of the US population. And they are fighting for the rights – maybe it’s 1% fighting for the rights of 99%. And the 99%, they need this support.
I’m sure. But are these measures enough the protect the consumers, or is there something else you guys would like to see regulation on?
Timo: So IoT is definitely an area that is too weak. Whereas CCPA seems to be a good piece of regulation coming into place when it comes to data privacy and data collection and its use, the internet of things regulation that is going to be put in place also on the first of January in California is regulating the IoT device manufacturers mostly. And it requires them to implement reasonable security measures in light of the service that they are providing. So how vague can you be? I think that this is a pretty good stab at that.
One thing that is definitely going to be better is that default passwords are no longer accepted. And if you look at the data breaches, 75% are stated to be caused by weak or recycled passwords. So that’s going to be a good one. So I’m not writing this off, that’s a good thing. But overall, “implementing reasonable security” is cutting it short.
But we also have talked about consumers and their awareness or understanding of what’s going on. Do you think we’re going to see regulation about, I don’t know, EULAs or something like that, sort of tackling the problem that people really don’t understand what’s being asked of them?
Hannes: I guess the CCPA is going to help in creating the understanding, because what it’s actually doing is introducing the European-style cookie banners to the USA.
Those are helpful. (Laughing)
Hannes: Yeah. With the added point that the Californian legislators had obviously been paying attention to the fact that the current cookie banners in Europe have been extremely, let’s say, nudging the consumers in a certain direction, and hence the CCPA has this specific wording and format by which you have to sort of introduce this ‘object to the sale of my information’ kind of stuff.
And even if the cookie banners are generally recognized as sort of an annoyance on the web, or recognized as are a totally incorrect method for tackling the problem, they are bringing out the awareness. And so is going to be this ‘object to the sale of my data.’ That is also going to increase the awareness. That’s going to be one of those things that will make people talk about it, and then they will sort of act as kind of a pathway for the first activities where someone is asking for their data from Google or Facebook or somewhere else, and they will get data. But as can already be seen from Europe, they will not get nearly enough data.
And I’m actually watching with interest at what kind of claims we are going to see by the first privacy advocates who will demand to have all the data they should be entitled to under the applicable laws. And that will throw a bit more fuel to the fire for the public discussion.
Yeah. Well, on that note, it’s time to wrap up. Thanks for taking us through this interesting upcoming piece of legislation.
Hannes: Thank you.
Timo: My pleasure.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.