The California Attorney General has not published the final rules for the California Consumer Privacy Act, though enforcement is slated to begin July 1.
The impending rules finalization is challenging organizations' existing privacy practices. But businesses that were once unburdened by privacy regulation, are facing new stressors introduced by the coronavirus pandemic.
Earlier this month, Washington state announced a requirement for restaurants to maintain a 30-day log of patrons' information. While the requirement has been revised to a voluntary process for patrons, the manual form of contact tracing has unprecedented privacy implications for the restaurant industry.
Restaurants, theoretically, might be subject to HIPAA privacy guidelines, according to Michael Osterman, president of Osterman Research, during a webcast this month. If patron data is shared with healthcare authorities, do names count as healthcare data? It's a "thorny" territory for companies' privacy policies and "certainly the frames of HIPAA never even thought about."
California expected companies to be compliant in January, but contributed to uncertainty when it did not issue final regulations. Regulations typically become effective in designated windows. For the CCPA, final regulations filed between June 1 and Aug. 31 would likely become effective on Oct. 1, according to the Office of Administrative Law.
Without finalized rules, compliance seems like a moving target for some organizations.
On top of uncertain regulations, the impacts of the coronavirus disturbed the office-based workforce, challenging operations in every way.
Because employees are using their own IT infrastructure right now, it's likely the California AG is keeping an eye on what the coronavirus might have changed in terms of security and privacy compliance, Chad Carter, VP of North American Sales at WALLIX, told CIO Dive.
"When you talk about the jump of people working from home, companies weren't ready for this. Nobody was. And so none of these protections were in place," said Carter. "Cybersecurity is definitely shining a light on where we're lacking in this time."
Up against future regulations, 70% of privacy and security professionals said their privacy-related systems can't scale, Daniel Barber, co-founder and CEO of DataGrail, told CIO Dive, citing a DataGrail survey. Privacy regulations were limited to specific kinds of consumer data, such as healthcare or legal information — scalability wasn't a central focus.
"Now you see security teams owning the privacy function," said Barber. "I think the age of relegating privacy to the back office has changed, especially over the last sort of 12 to 18 months."
Now security and privacy solutions are focussing more on continuous compliance, adaptable to varying laws. Legislation is historically adaptive and rules are "in a state of flux" right now, said Osterman.
Privacy regulation historically fell to sectors reliant on personal data collection. But regulation under GDPR and CCPA is changing that.
Compliance started with organizations narrowing down systems and identifying how much personal data they stored. "Most businesses have not really put a lot of investment into that area," said Barber.
Barber found business customers sitting on consumer requests from two to three months ago, grappling with manually fulfilling requests. They are businesses with minimal online presence, but enough personal data collection to require adherence to the CCPA.
While companies wait for the AG to finalize its rules, the CCPA is setting the tone for the rest of the nation and its attitude towards privacy. Consumers expect two things from the organizations they engage with: transparency and control.
Just under two-thirds of consumers expect a degree of transparency, according to data from DataGrail. "Businesses really have the opportunity to develop a competitive advantage by providing those to tenants," said Barber, which will likely translate into applying CCPA rights to all consumers, in or out of California.
"Denying someone access to their personal data because they happen to live in Montana is probably not a great consumer experience," said Barber.