Next week, the CCPA (California Consumer Privacy Act) will go into effect. It really hasn’t gotten much attention–but it should. The law is likely to have a far-reaching impact on the tech world, especially in categories like AI (Artificial Intelligence).
So what is the CCPA? Actually, it is the most thorough privacy regulation in the US. It even goes beyond the requirements of the General Data Protection Regulation (GDPR) act, which is focused on Europe.
Under the CCPA, a company must disclose to customers all the information that has been collected on them well as the data shared with third parties (there is also the right to opt out).. The law applies to firms that meet one of the following: annual revenues in excess of $25 million; the processing of data involves more than 50,000 consumers; or more than 50% of revenues come from the selling of personal data.
“Companies that are not in compliance not only run the risk of financial ramifications through fines, but also put their brand reputation on the line,” said Christy Wyatt, who is the CEO of Absolute. “Today’s modern enterprises, those that want to win, need to be laser focused on transparency and trust–and ready for rapid response when that trust is misplaced.”
Keep in mind that the California Attorney General has significant powers for enforcement of the CCPA, with the ability to impose fines of up to $7,500 per incident per person. Consumers also have a limited private right of action for any data breaches and the ability to bring class action lawsuits.
CCPA And AI
As with any new law, there will be tests in the courts. But it does seem clear that the CCPA will mean that plenty of companies will have to rethink their approaches with AI.
“Many AI applications gather or process consumers’ personal information for various purposes,” said Harley Geiger, who is the Director of Public Policy at Rapid7. “Those activities would be subject to the CCPA’s requirements,. So, for example, a company may need to disclose to consumers that it uses browsing history to aid algorithmic decisions, and a company may need to allow consumers to delete personal information from automated services that learn from that personal information.”
At a minimum, companies should tighten up their compliance policies, which may also mean purchasing new tools for monitoring.
“At a national level, when the CCPA goes into effect in January, data privacy regulation in America will become more complicated than ever before,” said Danny Allan, who is the VP of Product Strategy at Veeam.
Then what are some best practices to consider? Here’s a look:
- Barry Cooper, Enterprise Group President at NICE: “In order to comply, businesses are looking at being more proactive with dedicated solutions to pinpoint potential violations, effectively mapping private data and taking corrective actions whenever necessary. For a successful compliance strategy, organizations need to adopt analytics and automation to gain control over the stream of data through better powered data processes. Looking specifically at the text of the law, authentication should also be performed for access rights. This of course can be uniquely supported by AI and voice biometrics, with customer consent.”
- Abhay Singhal, the CEO of the InMobi Marketing Cloud: “If AI companies are using personal data to benefit its customers, there should not be any issue. However, if AI companies are using personal data that they do not own (second/third party), this is a place where constraints will be enforced. Hence such companies that do not own data will have to comply and acquire this data in a compliant manner. AI companies will now have to be very clear with their customers on what data they collect and how they use the same. Overall, this is a great way to make sure personal data is not going in the hands of companies that do not add any value back to the customer. Any company working on AI models need to make sure that the lineage of personal data is understood and acquired in a compliant manner. This will lead to a lot of companies (who do not have access to customers) using digital fingerprints for modelling and using aggregate data instead of personal data.”
- Mike Leone, who is the Senior Analyst at the Enterprise Strategy Group: “The CCPA also covers inferences based on that data. In other words, when a company creates a data profile for a consumer based on connecting a group of data points, that will also need to be shared. These would include areas like user behavior, perceived intelligence levels, preferences, psychological trends, etc. In fact, derived data points make up a majority of a data profile. The conundrum for AI as it relates to CCPA is that a surprising number of businesses don’t know how an insight was derived from a complex model or deep neural network. I think it will force those leveraging AI to prioritize explainability as a feature of their chosen AI platform, where insights derived from AI must be explained to a point where they can be understood by a human.”
- Ravish Patel, who is the Director of Data at TeleSign: “Specific systems/processes will have to be established to manage various principles of CCPA. A central data repository needs to be developed and managed to collect the list of personal data used, their purposes as consented by the users or legitimacy, etc. A dedicated system will be needed to ensure Identity Verification of users who exercise their rights to delete their data, as it is possible that fraudsters might abuse these processes to bypass AI models specifically built to catch fraud. Also, processes will have to be developed to ensure end user inquiries (like Do not Sell my Data) will be treated as per the CCPA guidelines. In addition, data privacy principles like anonymization and masking will have to be implemented throughout the data lifecycle to ensure the use of personal data within various AI modes.”
The Future
The CCPA will likely spark more legislation in other states and countries. For example, there has been the passage of similar laws in Nevada and Maine. And there are proposed bills in Hawaii, Illinois, Massachusetts, Minnesota, New Jersey, New York, Pennsylvania, Rhode Island, and Washington.
“In 2020 and beyond, we can expect to see a significant increase in regulations placed on consumer data collection and use,” said Guy Cohen, who is the Strategy and Policy Lead at Privitar. “GDPR and CCPA have paved the way for similar legislation. While we know that other states are already working on such laws, we will not be surprised if the federal government also decides to enact similar legislation in the future.”