A Q&A with Andy Sambandam of Clarip Inc.

What is arguably the nation’s most far-reaching consumer privacy and security law was passed with lightning speed last week in California. While the law doesn’t go into effect until January, 2020, companies are being advised to get up to date on the new regulation and its stipulations—and their potential liabilities should they fail to follow them. To understand more about the law, we spoke to Andy Sambandam, founder and CEO of Clarip, Inc., a privacy management platform that helps consumers and businesses stay compliant with regulation.

Californians will have the right to access their personal information held by a company and the right to request deletion of that data…it tries to give consumers the ability to take back control of their data without creating additional bureaucracy at the businesses.

What propelled the CA legislature to move so quickly to pass AB 375?
California acted quickly and firmly because of widespread support in the state for additional privacy protections. Recent data breaches and privacy scandals, including when Facebook and Cambridge Analytica made headlines this year, set the stage for privacy to become a dinner table issue, and as a result, a boardroom issue for most companies. As businesses made changes to their practices for the EU General Data Protection Regulation (GDPR), the public realized that businesses could actually take steps to protect their privacy if they were required to do so.

The public supported the California Consumer Privacy Act because it will allow consumers to take back control of their personal information. They will be able to find out who has their information through the right to access, they can stop their information from being sold or transferred to third parties through the right to opt out, and they can remove their personal information from the possession of businesses through the right to delete. Together, these measures are a huge first step to reign in businesses that have not taken the privacy of their customers seriously enough without government regulation.

The bill was fast-tracked through the legislature as a result of a compromise between the California State Legislature, businesses and the law’s supporters. If the Legislature passed AB-375, the voter initiative on privacy would be removed from the November ballot. Business supported AB-375 because it avoided the possibility of a tougher law from voters. The legislature supported it because their constituents supported it and it is easier to modify a law passed by the government than one adopted by the voters. And the ballot initiative supporters were able to achieve the nation’s toughest privacy law without an expensive ballot fight. Without the threat of a ballot initiative in November and the deadline for removing the privacy vote from the ballot, the Legislature would not have acted so fast.

What loopholes in the new legislation will favor businesses? Should the CA legislature contemplate any additional fixes ahead of the 1/1/2020 in-force date?
There were a number of changes from the ballot initiative to make AB-375 more tolerable for businesses. Businesses will have the opportunity to cure noncompliance during a 30-day waiting period before penalties or statutory damages can be sought. They will also have the ability to offer financial incentives to consumers to permit them to collect and sell personal information. Both of these are major changes from the ballot initiative.

There will likely be at least one more round of changes in the coming months. There simply was not enough time for the law to undergo the usual level of scrutiny that such an important piece of legislation requires. The California Assembly’s Committee on Privacy and Consumer Protection has already suggested adoption of a number of technical corrections to the bill. Assembly Member Ed Chau, chair of the Privacy Committee, has also identified the private right of action as another area where changes may occur. Businesses will no doubt take the opportunity to lobby for other changes over the next few months as the bill was rushed into law without the usual level of input from the key stakeholders.

How does the California Consumer Privacy Act differ from the European Union’s General Data Protection Regulation (GDPR)?
The new CA law gives California residents a lot of the same rights that are contained in GDPR without some of the more troubling compliance problems for businesses. For example, Californians will have the right to access their personal information held by a company and the right to request deletion of that data, two of the core data subject access rights contained in GDPR. However, AB-375 departs from GDPR in many important respects. AB-375 has an exclusion for small businesses with revenue of less than $25 million (as long as their primary revenue source isn’t the sale of personal information or they possess records on more than 50,000 people or devices in California). This minimizes the compliance burden on very small businesses that simply cannot afford it. It also does not require companies to: 1) establish a lawful basis for processing every piece of personal data, 2) enter into data processing agreements with every third-party, 3) hire a data protection officer, or 4) assess the privacy impact of their business processes.

Instead, it tries to give consumers the ability to take back control of their data without creating additional bureaucracy at the businesses. The new law does not require businesses to email consumers although it will necessitate changes in privacy policies to inform consumers about their new rights. The one area that could generate a new privacy notification email involves the requirement that children under 16, or their parent in cases of children under 13, must provide opt-in consent to the sale of personal information. If a business willfully disregards the user’s age, the business will be considered to have actual knowledge of the consumer’s age for the purpose of this section and be in violation for selling data without consent. Because many businesses did not previously establish the age of their users, they may need to make an announcement about these changes.

Can we expect other states and the federal government to be influenced by CA’s regulation?
The Facebook-Cambridge Analytica scandal was such a high profile issue that it is hard to imagine a scenario in which the federal government does not pass legislation to address privacy in the next two years. If it appears next year that Congress and the White House cannot agree on what should be done, then you will start seeing other state governments adopting California’s approach. Most states are not going to rush technology regulations. They will wait to see how the new privacy law is received in California and gauge how intensely businesses fight the next set of privacy laws before attempting their own legislation. After all, it took 16 years for all 49 other states to adopt data breach notification laws after California did so in 2002. Delaware, Illinois and few other states are at the forefront in privacy and biometric laws, so it is possible they may bring similar privacy legislation earlier.

How does Clarip’s privacy management platform aid consumers and businesses in meeting the new CA law requirements?
Businesses will need a powerful consent management system with a robust API to integrate with their software systems and stop the electronic transfer of personal information to third parties after a consumer has exercised the right to opt out. Clarip has built such a platform already for GDPR compliance. Also, having a centralized consent management process allows companies to maintain an audit trail, which is necessary to demonstrate compliance and fight wrongful lawsuits. They will also need an electronic system to manage the consumer requests exercising their right to access and right to delete. Clarip’s Privacy Center module already helps companies comply with GDPR data subject access requests and we made some minor modifications to get the platform ready for the California Consumer Privacy Act. Clarip is the most cost-effective solution to operationalize this compliance requirement. Finally, Clarip’s Data Risk Intelligence scans can offer businesses real-time insights on data collection and sharing occurring across the Mar-Tech stack and technology ecosystem so that businesses can accurately disclose that information to consumers—a core requirement of the California Consumer Privacy Act.

In summary…
We want to thank Andy for expert analysis on this cyber risk/privacy topic. Andy is a privacy practices thought leader and he has always kindly shared his thoughts on related issues (see prior Junto interview here).

In reading Andy’s comments, I came away with two key themes:

1. (1) The bedrock for the new California law (and arguably the GDPR in the EU) is privacy ethics, which will no doubt become a critical area for risk managers and insurers. They will need to understand, for example, if their organization’s privacy policy matches up to actual practices, such as safeguarding data in a prudent manner. So, cyber risk is not always triggered by an actual security breach—it includes wrongful data collection and the sharing of personal client info that might fall outside the bounds of posted policy. Plaintiff lawyers are especially focused here as wrongful sharing cases like Facebook’s are now a leading litigation area. It should be noted that the actual collection and sharing of data is not always wrong, so long as there is transparency and clear communication with customers about their rights and how their data will be used and stored once you control it.

(2) This new California law may serve as a template for other states looking to super-charge their existing breach/privacy laws, especially those with more forward-leaning legislature or aggressive state AGs. It’s nothing new: California also lead the pack with some of the original data breach notification laws over a decade ago, creating a model for other states to emulate.