Large Software Companies Using Data Privacy As A Competitive Advantage

Moving Beyond Compliance Obligations On Dawn Of CCPA Enforcement

Add bookmark

By: Jeff Orr, Jamal Hartenstein 12/03/2019

On the eve of California’s Consumer Privacy Act (CCPA) legislation taking effect, large software companies are announcing that protections under these laws are being extended to all of their U.S. customers.

Cyber Security Hub enlisted the help of security and data privacy legal expert Jamal Hartenstein to put the announcements into perspective for enterprise security leaders. We examine if this a case of promoting self-serving interests for software makers or if there is more than another compliance obligation at hand.

Size Matters In Navigating Privacy Regulation

Access to professional consulting services, attorneys and budgets means that large organizations can navigate privacy regulation for their customers more effectively than smaller organizations. Smaller organizations may not have similar capacity in form of resources, but smaller organizations may in fact be too small to meet minimum thresholds under regulations such as CCPA or GDPR. “CCPA targets Silicon Valley large corporations and the third parties they do business with,” says Jamal Hartenstein. A couple of baseline factors for affected companies include: organizations operating in the state with $25 million in annual revenue and holding 50,000+ records of PI/PII for California consumers. As a result, many organizations are small enough to avoid the regulation, unless they would like to comply, announce, and use the announcement as a competitive advantage over other small organizations that have chosen not to navigate the privacy regulation.

These Early CCPA Policy Announcements Mean Floodgates Are Set To Burst

“We should expect businesses to begin publicly declaring a CCPA plan as part of their strategic plan to gain competitive advantage,” notes Hartenstein. “Using data privacy as a competitive advantage is an optimistic way to approach the regulation as opposed to focusing only on the expenses of compliance.” Julie Brill, Microsoft's corporate vice president for global privacy and regulatory affairs and Chief Privacy Officer, in “going a step further” is using data privacy as a competitive advantage. She also advocates for privacy rights that Microsoft values. It’s a win-win, says Hartenstein.

Data privacy observers claim that Microsoft adhering to GDPR across worldwide customers gave it an advantage when considering a plan for CCPA. Hartenstein rejects the claim as a limited observation. Adhering to the strictest standard that provides the greatest consumer rights for all consumers, regardless of geography or jurisdiction, is also a cost-savings strategy.

“California has the strictest vehicle emissions laws, so automotive manufacturers engineer their vehicles to meet the state’s standard regardless of where the vehicle to be sold.” Having two separate manufacturing baselines (one for California and one for the rest) may be more costly, consequently, the whole country has cleaner emissions as a result of one state’s law. “We also see this effect when IT Security teams seek to limit the permutations of Operating System Baselines or Mobile Devices supported, because it limits the operational overhead required for patching and securing,” adds Hartenstein.

California’s Torchbearer Role Criticized For Outpacing Federal Legislation

As the saying goes, “With great power comes great responsibility.” Microsoft, Coinbase and other organizations promoting legislation that favors consumer privacy as a fundamental right should be applauded for their first-mover initiative says Hartenstein. Forrester Research VP and data privacy analyst Fatemeh Khatibloo further advocates the need for a comprehensive privacy bill for all of the United States.

It is challenging to keep up with the amendments to the California bill and the updates out of California Attorney General Javier Bacera’s office. The areas in which CCPA falls short and are criticized include the non-applicability on all types of data or specific classes of individuals such as employees. Hartenstein points out that “It’s important to note that federal law generally preempts state law.” This means that a U.S. law, such as the Fair Credit Reporting Act (FCRA, or other federal law impacting employee data), is not usurped or overridden by the California law. Federal law preemptions are occurring where there is existing employment law governing such data, therefore the CCPA has recently been amended to include clauses on employee data, stating various exceptions for federal laws that preempt.

Many of the CCPA requirements can come across as confusing. Even after various alterations and clarifications to the bill, it will be left up to Superior Court judges to analyze and interpret the text against the facts of certain cases of violations of CCPA says Hartenstein.

A Balancing Test For Data Privacy Approaches: Opt-Out Versus Consent

Lobbyists for large organizations shape legislation and the wealthy companies influence the writers of laws. According to Hartenstein, lobbyists for the consent approach should understand that while consent can be baked into initial agreements and policies, the reality for consumers is that most do not read or understand the legalese before checking the box for consent. This means they do not become aware of what they have consented to either ever or until they are dissatisfied with an observation or experience related to their relationship with the organization.

Hartenstein recommends that organizations perform a balancing test between their benefit of the consent approach in legislation, versus levels of dissatisfaction among consumers:

The opt-out approach costs organizations time and money to implement and maintain; CCPA requires records management solutions to consistently be able to demonstrate consent from your data owners (the consumers).
Consumers with the ability to easily opt-out enjoy a more seamless way of exercising their consumer rights afforded under the law such as rights of access, portability, and prevention of continued use (including sales) of their data.

Predictions For The Future Of U.S. Data Privacy Legislation

Early supporters of CCPA tend to subscribe to the belief that it will likely become the de facto data privacy law for the U.S. in the foreseeable future because the U.S. Congress doesn't appear to be motivated to pass any federal privacy laws. Our security and data privacy expert Jamal Hartenstein takes a different view.

“Elected officials are involved in politics. Politics are behind decisions such as to focus on opt-out of PII rather than consent,” he says. Not all organizations that are lobbying to influence data privacy laws are in the same camp as the first to make these announcements. Some companies in the U.S. would not prefer to provide data privacy as a fundamental right to consumers, and those companies do have influence over Congress as well observes Hartenstein. “Imposing a pervasive countrywide Data Privacy law across the U.S. would displease many powerful organizations. For this reason, I foresee a patchwork of laws,” he says.

The typically optimistic Hartenstein says that his outlook is one of a realist when it comes to the expected behavior of politicians. Security leaders take note: the data privacy landscape will become murkier and complex before uniform legislation is put in place.