Building CCPA on top of the GDPR – how DAA can help

By Catherine Hackney posted 11-05-2019 03:14 PM


Author: Aurélie Pols, Founder, Aurélie Pols and Associates

The words my friend Leena has been speaking for 2 years resonate increasingly. We teach Data Protection Officers on digital data privacy at the Maastricht University faculty of law:

You know what would be really scary from a privacy risk perspective?
European thinking in terms of privacy supported by US based enforcement

We are at the dawn of January 2020, figuring out how to comply with the CCPA, the California Consumer Privacy Act, 2 years after the GDPR, the General Data Protection Regulation, went into force.

At the same time, while we increasingly wonder what happened to data accuracy, our industry is being asked to fix potential bugs to keep the current state of affairs running, as best as possible.

Back tracking slightly, one must realize that the original cookie specification from 1997 was GDPR compliant. Yet things have changed since I first joined the “Web Analytics Association” back in 2004: both technology and legislation have moved forward!

And while some might remember the “Do Not Track arms race” Peter Swire talked about when leading the W3C DNT initiative, we need to come to the realization that we have come full circle.

The DAA’s mission statement reads as follows: “advancing the use of data to understand and improve the digital world through professional development and community”.

The vision of our community “a better digital world through data” partially echoes what the GDPR also states in recital 4: “The processing of personal data should be designed to serve mankind*”

And while the CCPA goes beyond CalOPPA, stating that businesses should recognize Do Not Track settings as a request to opt-out, it also recognizes certain rights for “consumers”, as residents of the sunshine state.

Gentle reminder: CalOPPA asked website operators to state how they responded to DNT, not to abide by it. CCPA clearly goes quite some steps further!

The parallels with the GDPR are both daunting and reassuring: the GDPR talks of data controller, processors and joint-controllers while CCPA talks of businesses, service providers and 3rd party data sellers.

Rights of “consumers” are also being aligned with the territorial scope of the GDPR: it’s not about nationality, these rights apply to individuals who choose to reside in California and probably the US.

And while these rights are somewhat different (take for example portability which is broadened in scope under CCPA while limited in frequency compared to the GDPR). They do have the merit to fall under a legislative regime of common law, unlike continental Europe.

What does this mean exactly?

Simply put, while there is a limit to the right of action within the CCPA, risk related to privacy non-compliance is increasing exponentially.

Consequences: privacy professionals are starting to sit at the digital data table and asking questions beyond the Pavlovian security protocols.

And to minimize said risk, collaboration is the only way forward.

Technology can totally help us resolve for digital identities** yet it takes a village to assure this is done both in the interest of the business but also, it’s customers. This because systems are becoming increasingly complex and ultimately to nurture trust, which remains the bed rocks of any good (business) relation.

The days of the data exhaust through log files has long passed yet people, process and technology remain the foundational pillars for successful qualitative data driven decision making.

Many years ago, former colleagues Eric Peterson and John Lovett shared the Web Analyst Code of Ethics with the then WAA.

Today, these 5 initial principles should evolve to support the last one: accountability, a unique word that sums up of the GDPR. It is not about “I”, it is about “we” and any ethical conduct could impossibly take place in isolation.

The FT highlighted recently that the Digital Age needs new institutions.

The DAA can become such a newly needed entity by collaboratively sharing information about how tools work, shed light on current opaque ways of working.

This to support the mission: a better digital world through data, which is why I joined back in 2004.

If not, we can all separately fish out how our digital tools respond to DNT for starters.

Is that an optimized way of working? Can we do better as a community?

* ok this could have said humanity, hat off to the fabulous Women in Analytics!

** disclaimer: proudly serving as DPO, Data Protection Officer, for CDP, Customer Data Platform, mParticle based out of New York.


About Aurélie Pols

Collaborates with Chief Data Officers, particularly in digital, AdTech and MarTech vendors and strategy consulting firms globally to advise businesses on data strategy, with regards to the privacy legislations, the opportunity to Compete on Privacy and related communicational issues.

Services include
- assessing client compliance obligations and aligning compliance strategy with business goals through risk based assessments,
- advising clients on a broad range of aspects of their privacy and data protection program (policy, procedures, training, tools), legal frameworks, cross-border data flow, data protection impact assessments (DPIA), data mapping, vendor agreements,
- strategic advice for executive-level decisions (board of directors and management) regarding data strategy, privacy by design, and building sustainable businesses in markets that are impacted by privacy and data protection concerns.



Most Recent Blogs

  • Posted in: Women in Analytics

    Join the Women in Analytics quarterly meetings for 2023, held on the 3rd Thursday of every third month. T o accommodate ...

  • Posted in: Women in Analytics

    For the past few years, Sharon Flynn has done an amazing job as the Chair of DAA Women in Analytics. She has guided the ...