What’s the Deal With the CCPA?
Imagine Jerry Seinfeld performing his 1990s standup comedy routine in front of a brick wall saying to the audience: “what’s the deal with airline food?” Now, picture Jerry Seinfeld as a lawyer in 2020. The brick wall is his home office. His audience is now a cat (or maybe folks on a Webex call). Sporting horn-rimmed glasses and a shock of gray hair, “Lawyer Jerry” stares at a client’s email on his computer screen, squints, and says to himself: “what’s the deal with the CCPA?”
What is the CCPA?
The California Consumer Protection Act (CCPA) is a comprehensive consumer privacy law designed to give California residents the right to know what information about them is processed and with whom their information is shared. The CCPA gives California residents similar rights as Europeans receive under the General Data Protection Regulation (commonly referred to as GDPR) including rights of access, portability, as well as the right to opt-out of the sale of their personal information. Because the CCPA applies to all California residents, understanding the CCPA’s requirements is important for companies around the world who serve or may serve Californians.
So, What is the Deal With the CCPA?
Lawyer Jerry along with scads of compliance officers, data scientists, information security professionals, and others in similar roles are pulling out their hair trying to understand the CCPA. Sure, you can read the law. But it’s more complicated than that. And the stakes are high. One estimate reported that corporate compliance costs could be around $55 billion.
Here is where things stand as of publishing this article in June 2020: the CCPA took effect on Jan. 1, 2020, however, the California Attorney General must wait until July 1, 2020 to begin enforcement. In the meantime, the Attorney General’s Office was tasked with issuing regulations to facilitate, clarify, and provide guidance to consumers and businesses about the law. It issued proposed regulations, updated those regulations in February, updated them again in March, and submitted final proposed regulations in June. Those final proposed regulations will be reviewed by California’s Office of Administrative Law and filed with the Secretary of State before they become enforceable. Some questions remain about the enforcement timeline, especially regarding the regulations. Further impacting that timeline, 30 trade associations and companies have asked to delay enforcement generally because of the ongoing coronavirus pandemic.
Adding to the confusion is a new data privacy initiative in California that recently passed its first threshold to qualify for the November ballot called the California Privacy Rights Act (the CPRA or colloquially known as “CCPA 2.0”). The CPRA intends to strengthen Californians’ privacy rights beyond the CCPA by regulating “sensitive” personal information (covering race, ethnicity, sexual orientation, etc.) and creating a new state agency overseeing privacy.
How Can Lawyer Jerry Support His Clients With CCPA Compliance Needs?
Although the details are murky, we do know that Californians will have the broadest data privacy rights in the United States. One option for Lawyer Jerry is to follow the approach of others. Duo Security and its parent, Cisco, could serve as an example for how to offer these kinds of data privacy rights to all individuals, whether they are in California, Europe, or elsewhere.
Duo and Cisco are committed to respecting and protecting the privacy rights of their workers, customers, partners, users, and others – no matter where they are located. Our long-standing security, data protection, and privacy program is anchored on the principles of transparency, fairness, and accountability and has been certified to align to privacy frameworks and legal requirements around the world (i.e., EU Binding Corporate Rules, EU/Swiss-US Privacy Shield, APEC Cross Border Privacy Rules system, and APEC Privacy Recognition for Processors).
While Cisco cloud-enabled offerings (including Duo products) do collect, process, and share limited categories of personal information; they do so in order to conduct their business and provide their products and services. When we share personal information with business partners (like vendors and service providers who process data on our behalf), we do so pursuant to a written contract that prohibits such partners from processing the data for any reason other than performing the services as specified in that contract.
Transparency is key for compliance with all data privacy laws. This is why Cisco publicly posts detailed information about its privacy policies in its Trust Portal. Cisco’s Privacy Data Sheets are key components of that Trust Portal. Each cloud-enabled offering has a Privacy Data Sheet spelling out the categories of data collected, the purposes of processing, and international data transfers, while also identifying subprocessors and retention periods, among other pertinent information. Duo’s Privacy Data Sheet can be found here.
As the CCPA, CPRA, and other laws around the globe evolve, Duo and Cisco will update their disclosures and practices as needed to ensure privacy is appropriately respected and protected. We do so not only because the law requires it, but because it is right and fair. This practice benefits our customers and can guide people like Lawyer Jerry towards respecting and protecting privacy rights of all people.
Try Duo For Free
With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.