When the Legislature passed its online privacy protections in June, the bill was drafted by legislators and signed by the governor in the course of one week, a signal of its importance to policymakers in the tech-heavy state.
“I truly believe this is the most significant U.S. privacy development to date,” said attorney and cybersecurity expert Nathan D. Taylor, a member of the San Francisco law firm Morrison & Foerster.
The bill gives consumers five fundamental rights: the right to know how their information is being used; the right to have their information deleted; the right to prevent the sale of their personal information; protection from retaliation for making any requests under the act; and the right to sue.
The bill takes effect Jan. 1, 2020, giving businesses some time to make the necessary process changes to ensure they’re in compliance.
What does this mean for government? In the course of delivering services, taxation and regulation, the public sector must collect a lot of personal information. That same data is then available by extension to any number of private-sector partners. If a breach occurs, will residents be comforted by fingers pointed at a third party?
Many leading jurisdictions have started to hire chief privacy officers (CPOs), granting them a seat at the table alongside agency leaders and technical staff at the outset of a project to ensure that the protection of individuals’ data is adequately considered. It’s a good start.
Among the few local jurisdictions that have hired CPOs is Santa Clara County, which appointed Mike Shapiro as its first privacy officer — one of the first to work for a county. Shapiro has an extensive background working on privacy issues in the private sector and consulting with federal and state agencies.
The big issue facing local government, according to Shapiro, is the development of privacy policies that are consistent across a government at a time of rapid growth in data-driven projects.
“The challenge is how to take the large amounts of information we collect for constituents and serve them better while also protecting privacy rights and following the law,” he said.
Given Santa Clara County’s location in the heart of Silicon Valley, Shapiro believes the county can play a lead role in fashioning privacy policies and best practices that draw on the strengths of local high-tech firms, academia and government. He hopes to start a privacy center of excellence that will foster the kind of dialog that can balance privacy with digital commerce and good governance.
But Shapiro’s more immediate mission is to create privacy-related best practices within county government that balance the need to share information with the need to protect it. The county is in the early stages of developing big data-sharing projects, so now is the time to build privacy into project management and work processes, not afterward.
To get the ball rolling, Shapiro has launched an awareness campaign to educate staff on the different kinds of privacy risks and then promote best practices. Part of the effort is understanding how departments perceive privacy, as well as learning what they do with the data they collect and how the data is shared — or why it isn’t. Sometimes an agency’s desire to protect privacy can thwart projects that can serve people, Shapiro explained. Having the right conversation with the right people can overcome roadblocks to data sharing that don’t compromise privacy rights.
In addition to training to raise awareness, governments like Santa Clara County are following the lead of private companies and have begun to conduct privacy impact assessments on new projects.
Experts cite the new law as a reason why local governments need to be more careful when it comes time for IT acquisitions, especially those that involve vendor access to data.