MESA Members: CCPA is Almost Here, and M&E Companies Must Be Prepared

Media and entertainment companies that stand to be impacted by the coming implementation of the California Consumer Privacy Act (CCPA) Jan. 1 have plenty of work to do to comply with the new law if they haven’t started yet, beginning with education, according to members of the Media & Entertainment Services Alliance (MESA).

The very first thing to do, however, is to figure out if your organization even needs to comply with CCPA. For example, when it comes to the production studios and independent producers that are clients of Three Zebra Solutions, the only organizations CCPA will affect are “large studios and their directly financed productions,” consultant Lulu Zezza, Three Zebra owner, told MESA.

After all, unlike Europe’s General Data Protection Regulation (GDPR), CCPA will only apply to businesses with annual revenues exceeding $25 million, she noted. The other CCPA criteria – having records of more than 50,000 individuals, households or devices, and 50% of revenue coming from selling personally identifiable information (PII) – “are not applicable to the production space,” she said, adding: “Independent productions during the production phase will not have any revenues. However, if they are successful and still retain PII, then the CCPA could apply to them once their project is sold or released.”

What stands to help is that some studios already started to “change their payroll and accounting workflows and data recording to push the onus of PII management entirely onto the payroll companies, she said. “But there is a general lack of understanding regarding data classification and management on productions which lends itself to a lack of workflow planning for the securing, sanitizing and purging of PII,” she told MESA, adding: “ I think the most important thing the studios should do today is educate producers regarding these responsibilities so that policies, budgets and plans are put in place” by Jan. 1.

“The first thing organizations must do is to understand what information is being collected on individuals and to determine where or how this information is being processed,” according to Jay Trinckes, principal security consultant for risk management and governance of North America at NCC Group.

“Organizations need to perform a data asset inventory and data mapping to get a better understanding on where their data is coming in, being stored, being processed, and being exported (to both internal business units and external third-party organizations),” he said. “Next is to determine why the information is being collected and for what purpose,” he told MESA, adding: “Organizations should be asking themselves how this information is being used, is it being sold, and is the organization being transparent with the individual on how their information is being handled. Finally, organizations need to ensure that they have appropriate controls in place to keep this information private and secure.”

CCPA is “strict on the definition of personal information and also calls for more consumer rights on how the data can be used,” Simin Haik, founder and CEO of Imaginate, pointed out. Therefore, companies impacted “will need to allow time to prepare for CCPA compliance in order to avoid fines per consumer in addition to incidents if” they’re non-compliant and have a data breach, she said, noting CCPA “extends the information [covered] to a household versus GDPR, which only applies to personal data.”

The period between now and Jan. 1 “represents an opportunity for businesses to prepare their programs for the future of privacy and security regulation,” according to Stephanie Iyayi, SVP of legal and business affairs at Convergent Risks. “For many businesses, adjusting business processes and activities to comply with the CCPA’s provisions will likely take longer than anticipated,” she told MESA.

The “immediate steps that businesses should consider” taking include “developing an understanding” of how their business “handles consumers’ personal information across the organization,” including human resources, customer service and vendor management, Iyayi said.

Other steps that businesses should consider, Iyayi said, include: “Remediation of information security gaps and system vulnerabilities; properly updating privacy policies to comply with the specified requirements; tracking data streams to respond to consumer requests; and identifying operational challenges that compliance may pose considering both the systems and manual or automated processes it must have in place to implement the CCPA’s deletion, access, portability and opt-out requirements.”

Also important for organizations is to develop processes to enable compliance, such as: setting up a toll-free number and Web address for consumers to submit requests; designating an individual or team to monitor and respond to consumer requests within 45 days; verifying the identity and authorization of consumers making access or deletion requests; designating mechanisms that enable the business to honor opt-out requests; and updating privacy-related disclosures, including online privacy policies, Iyayi said.

One other big difference between CCPA and GDPR is that the latter is opt-in, so “the consumer has to actively agree to be part of the data collection, whereas the CCPA is opt-out, [so] the consumer has to take positive steps to avoid the data being collected,” noted Spencer Stephens, CTO and president of techXmedia.

“What’s interesting is how some websites respond differently when accessed,” he said, adding: “In the U.S., if you don’t agree to tracking cookies, some websites won’t let you use them, but the same website will if accessed from the U.K.”

Just How Transformative is CCPA for Data Protection?

The new law “provides unprecedented privacy rights to California residents, signaling a substantial shift in the data privacy regime in the U.S., and will require significant changes to businesses’ data protection programs,” according to Iyayi.

Those companies that are subject to CCPA “will need to comply with additional regulations related to processing California residents’ personal data, including: ensuring reasonable security procedures and practices; updating or creating privacy notices; consumer choice requirements for selling personal data; restrictions on data monetization business models; accommodating a consumer’s right to access their personal information; honoring the right to deletion; and producing requested data in portable format,” she said.

Because of the “prescriptive nature of the CCPA, its impact will extend far beyond the boundaries of California and its growing 39.5 million population, and is likely to serve as the de facto national standard for businesses that handle personal information about U.S. residents,” she said, explaining: “We are already seeing the introduction of a flurry of additional state bills with similar requirements, and businesses should consider now whether to expand the CCPA’s privacy protections to individuals across the U.S. for both operational simplicity and long term readiness for future incoming legislation.”

Noting that CCPA “allows the consumer to have control over how their information is used, and even the right to remove any existing information that was collected in the past,” Haik called the new law a “significant leap towards consumer privacy” and also the “most restricting act yet” in the U.S. But she said: “Only time can tell how successful and transformative it is, as it may reveal unforeseen loopholes.”

And Trinckes told MESA CCPR was “not necessarily ground-breaking when it comes to data protection and privacy in that [GDPR] has been in effect for over a year and the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) has been around for several years, laying the foundation of sound privacy right principles that organizations entrusted with personal information should abide by.” State laws in the U.S., meanwhile, “have tended to be reactive towards data breaches, but the CCPA is transformative in that it is more proactive and forces organizations to pay closer attention to their privacy processes,” he said.

But Zezza called it just “a start [because] I think the loopholes for ‘research’ and [to] ‘enable internal uses aligned with consumer expectations’ are gaping and good lawyers will be able to use these to justify continuing to use consumer PII as they wish,” she said.

There are currently “several amendments that are being worked through and it will be interesting to see how the final version of the CCPA is put into action,” said Trinckes. Enforcement by the Attorney Generals of states has been “rather easy and the CCPA provides the right to private action in the event of a breach that will stand to provide organizations an incentive to do right by their customers in an effort to avoid being sued,” he said.

Services to Help with CCPA Compliance

Convergent Risks provides clients with support from “experienced privacy and security professionals with a wealth of knowledge gained from our past experience in assisting clients achieve GDPR readiness and ongoing compliance,” Iyayi pointed out. “We offer both physical and remote security assessments to on an affordable fixed price model to verify that personal data is secured and also a supporting policy documentation service via our secure platform,” she said, adding her company can also help with: “Remediating existing information security gaps and system vulnerabilities; penetration testing and vulnerability scanning; revising or developing privacy policies to incorporate required disclosures; developing procedures for handling consumer requests; training personnel; and identifying existing vendors affected by incoming legislation, and developing contract language that flows down relevant obligations.”

NCC Group, meanwhile, “offers several services to assist clients in their privacy compliance efforts,” Trinckes said. “We offer data mapping and data asset inventory services to determine what type of information and where information is flowing throughout the organization. We offer privacy risk screening activities to determine if there is a need to perform data protection impact assessments as well as performing these types of assessments as required. We also offer compliance-related services to determine the level of effectiveness of design and implementation of controls related to regulatory requirements. Finally, for those organizations that may not have internal privacy resources, NCC Group provides virtual data protection officer advisory services to assist clients in their privacy compliance efforts.”

And Imaginate “offers a ground up service to review and update the policies, procedures and infrastructure changes necessary for the companies to be compliant with minimal to no disruption to their day to day activities,” Haik pointed out, adding she “highly recommend that the company contacts us early, in order to implement the necessary changes in a thorough and timely manner.”

Also, One-Simple, which Zezza founded and serves as CEO of, is “providing data access and management services which will enable producers to comply” with CCPA and GDPR, she said, adding: “We know producers do not have the time or interest to plan for secure cyber workflows. We do not add any management burden to the producer, nor any tasks to their crew. Our goal is to make working securely easier than not.”