IAPP: What to Do When Consent Doesn’t Work under CCPA
In addition to other benefits, the California Consumer Privacy Act enhances privacy for individuals when data uses cannot be adequately served using consent alone. The CCPA provides incentives for companies to implement safeguards that reduce data privacy risk from even occurring in the first place. Under the CCPA, this can be accomplished by leveraging new technically enforced, risk-based deidentification controls.
Benefits of Non-Consent Processing (via DeIdentification)
Processing data under the CCPA’s deidentification requirements brings many benefits. They include:
For individuals and society:
+Consumer benefits from data processing that is not well supported via opt-in/consent requirements because of the complexity of processing and difficulty of explanation.
+Societal benefits from having more representative, non-discriminatory data to train accurate and representative artificial intelligence and machine learning models.
For data controllers and processors:
+Greater flexibility in complying with data subject requests to delete data.
+Enhanced ability to lawfully share and combine data with third parties.
+Requirements for Non-Consent Processing (via DeIdentification)
Processing protected personal information via CCPA deidentification exceptions requires that proper technical and organizational safeguards are in place.
Those requirements include:
+CCPA increases deidentification standards to a new “2020 De-ID Standard”
+The 2020 De-ID Standard under the CCPA now requires:
+Technical safeguards to prevent recipients of protected information from inadmissibly re-identifying individuals when used on a distributed, multi-party basis.
+Greater protection than otherwise required under laws that were enacted almost a quarter century ago, like the Health Insurance Portability and Accountability Act.
+Context-aware, risk-based management of re-identification risk.
+Protection against re-identification risk from data in the hands of third parties.
Host:
Dave Cohen, CIPP/E, CIPP/US, Knowledge Manager, IAPP
Panelists:
Deven McGraw, Chief Compliance Officer, Ciitizen (former healthcare privacy official at the Department of Health and Human Services)
Khaled El Emam, Professor, University of Ottawa/CHEO Research Institute
Gary LaFever, CEO, Anonos
Justin Antonipillai, CEO, WireWheel