The General Data Protection Regulation (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’)…
Think Privacy is Only for Europe? Think Again.
The GDPR is done. And it impacted only the businesses operating in the EU anyway. Right?
- Privacy is never “done”. Compliance is an ever-present requirement and businesses should constantly monitor their touchpoints, their data collection practices, their data processing logic and the same set of considerations for their vendors, on an ongoing basis.
- The GDPR impacted all businesses that processed the data of EU citizens – not just the ones located in Europe.
- The GDPR was the tip of the iceberg. The world is becoming aware of the threats of callous data collection and processing with impunity. Yes, Europe woke up first. But that does not mean the US and the rest of the world will keep slumbering.
In fact, the US has already started on the path towards revolutionary privacy regulations. With laws passed in California, Nevada and Maine and bills planned in many other states, businesses should expect to be impacted in the coming months.
This article breaks down the crucial parts of each state’s privacy regulation law/bill — including who they cover, when they take effect, penalties, how to achieve compliance, why states took the reins before the federal government to protect consumer’s personal data as well as how the embracement of privacy compliance could benefit your business.
US Federal Regulation?
In a letter to congressional leaders on 10th of September, Business Roundtable CEOs across industries urged policymakers to pass, as soon as possible, a comprehensive national data privacy law that strengthens protections for American consumers and establishes a framework to enable continued innovation and growth in the digital economy.
The letter, signed by 51 CEOs, was sent to House and Senate leadership and the leaders of the House Energy and Commerce and Senate Commerce, Science and Transportation committees.
From the U.S. business perspective, there has never been a better time for a federal data-protection law to be introduced.
The GDPR stipulates that any company collecting data on individuals resident within the EU must comply with the legislation – whether that company is based in the EU or not. This means that many U.S. businesses are already GDPR compliant in order to operate internationally, and have the framework in place to expand this compliance to the U.S. market.
It is different for U.S. national businesses. Data protection compliance is becoming a nightmare, with (potentially) up to 50 different state laws with different specifications and requirements. A federal law would streamline this, providing one unifying piece of legislation across all states.
US State Laws
In response, states have taken action a lot earlier.
With laws passed in three states, bills proposed in others, and several states passing new data breach notification laws, we are witnessing the beginning of a massive shift towards protection for consumer data and accountability for businesses that control and process it.
The IAPP Westin Research Center compiled the below list of proposed and enacted comprehensive privacy bills from across the country to aid business efforts to stay abreast of the changing state-privacy landscape.
Although many of the bills included in the map will fail to become law, comparing the key provisions in each bill can be helpful in understanding how privacy is developing in the United States.
As one of the first privacy laws passed after the GDPR, the CCPA is acting as the blueprint for other bills in the US. Effective January 1, 2020, the CCPA applies to a business that collects/processes California residents’ personal data or does business in California.
These businesses are subject to the CCPA if they either:
- Exceed a gross revenue of $25 million
- Buy, receive, sell, or share (combined total) personal information of 50,000 or more consumers households, or devices
- Gain 50% or more of annual revenue from selling consumer’s personal information
The CCPA grants rights to consumers similar to the GDPR, including the disclosure of personal information and requests for personal data. Businesses are required to respond to verifiable consumer requests with information, such as categories and data of personal information, third parties, and categories of third parties with which data is shared, and more.
This section, known as data subject requests (DSR) grants users access to and deletion options for their personal information. Also, the CCPA requires that businesses display a “Do not sell my personal information” link on their homepage.
The CCPA will be enforced by the Attorney General and includes fines up to $7,500 for each individual violation.
Nevada’s privacy law was signed in on May 29, 2019, but is effective on October 1, 2019, three months before the better-known CCPA. The laws are very similar but have a major difference in how “sale” is defined. Nevada’s law is narrower, not covering all service providers and being more lenient on financial institutions.
According to InfoLawGroup, the CCPA and Nevada law are similar in that both require “businesses to come up with a process to verify the legitimacy of a consumer opt-out request and require businesses to respond to the request within 60 days.”
Similar to California, Nevada’s enforcement lies with the Attorney General and includes fines of up to $5,000 per violation.
Maine’s privacy law was signed on June 6, 2019, but it will go into effect July 1, 2020. This law blocks Internet service providers (ISPs) from selling, sharing, or granting third parties access to their customers’ data, unless explicitly given approval by those customers. With the changes,
Maine residents now have an extra layer of protection for the emails, online chats, browser history, IP addresses, and geolocation data that is commonly collected and stored by telecommunication and technology sector companies.
So, while the CCPA gives customers the right to opt-out, this new law prohibits ISPs from utilizing customer data unless the customer opts in. This requirement goes further than the CCPA or Nevada law and is relatively unique among US privacy laws, which generally favor opt-out consent.
Don’t Wait—Prepare Now:
According to a 2018 PwC survey, 64% of businesses had not yet started to prepare for CCPA regulations.
Have you put off starting your compliance journey? Have you begun the process, but find yourself challenged by the fast-approaching deadlines?
The following is a list of conscious actions that you can take as a business to go down the path of compliance for most of the existing laws, and the ones that will be enforced in the near future.
Step 1: Update Privacy Notices and Policies
These laws will require that “at or before the point of collection” covered companies provide notice to consumers informing them of the categories of personal information the company collects and what purpose the information is used by the company.
The notice must also explicitly set forth the categories of personal information that are collected, disclosed, or sold, and consumers have a new right to opt-out of having their information sold.
Companies will also need to update their privacy policies to include a description of the other new consumer rights.
As many companies had to determine when becoming GDPR compliant, prior to making the legally-required policy updates, companies will need to determine if they will maintain one privacy notice for each State residents, or have one universal policy.
Step 2: Update Data Inventories, Business Processes, and Data Strategies
Companies will also have to maintain a data inventory, which is essentially a database to track their data processing activities, including business processes, third parties, products, devices, and applications that process consumer personal data.
Companies that had to become GDPR compliant will have to add a few columns to their data inventories including, a column:
- identifying if the data use includes the “sale” of information;
- identifying what categories of personal information are transferred to third parties;
- identifying if the data was collected more than 12 months ago and, thus, potentially exempt.
- The database will also have to be kept up to date and be able to track all consumer right requests, such as tracking a verified request for information.
Step 3: Implement Protocols to Ensure Consumer Rights
These laws guarantee a number of consumer rights that businesses will need to take steps to ensure.
- Right to Notice – While it is not exactly a granted right, at or before a business collects personal information from a consumer, the consumer must be properly notified which categories of information are being collected and the purposes for which the information is being used.
- Right of Access / Right to Request – Upon verifiable request, the business must take steps to disclose and deliver, free of charge to the consumer, the personal information, which may be delivered by mail or electronically. If provided electronically, it must be provided in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit the personal information to another entity without issue. A business may provide personal information to a consumer at any time, but does not have to provide it to a consumer more than twice in a 12-month period.
- Right to Know – The consumer has the right to request that a business that collects personal information to disclose the following: (1) the categories of personal information collected; (2) the sources from which the information was collected; (3) the business or commercial purpose for collecting or selling the information; (4) categories of third parties with whom the business shares the information; (5) the specific pieces of personal information the business collected about the consumer.
- Right to Delete – The consumer has the right to request, upon verifiable request, that a business delete any personal information about the consumer the business has collected. Upon receipt of such request, the business must delete the information and direct any service providers to delete the information from its records as well unless the business or service provider needs the information to: (1) compute the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer; (2) detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity; (3) debug to identify and repair errors existing intended functionality; (4) exercise free speech, ensure the right of another consumer to exercise his/her right of free speech, or exercise another right provided for by law; (5) engage in public or peer-received scientific, historical, or statistical research in the public interest; (6) to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; (7) comply with a legal obligation; (8) otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
- Right to Opt Out – The consumer has the right to opt out of the sale of personal information by a business. Businesses must make available, in a form reasonably accessible to consumers, a clear and conspicuous link to the homepage, titled “Do Not Sell My Personal Information” that enable a consumer to opt-out of the sale of the consumer’s personal information. The business must wait at least 12 months before requesting to sell the personal information of any consumer who has opted out.
Step 4: Make Security Updates
These laws also require covered businesses protect personal data with “reasonable” security. In practice, this standard has led companies to take a risk-based approach toward addressing threats to the confidentiality, integrity, and availability of personal data. They assess the threats to data, rank the risks of the detected vulnerabilities, and address the high-risk gaps first.
Step 5: Update Third-Party Processor Agreements
To comply with the US Privacy Laws, businesses that have other companies process their data will need to update their third party contracts including inserting standard-contractual clause language; requiring vendor data inventories; using due diligence questionnaires; providing records of processing; requiring the syncing of consumer response processes; requiring onsite assessment and auditing; and requiring mapping of the specific data elements shared with each third party, including designating those transfer that qualify as “selling”.
For those third-party that paid for information, they will need to additionally design processes to accommodate consumer requests to opt out of selling and provide for the deletion of that data.
Step 6: Training
Finally these laws require that employees handling consumer inquiries be informed of all of its requirements. Due to the penalties involved, this training should be the minimum and additional employee training is recommended.
Think It’s a Lot to Implement? Businesses will Benefit from Compliance:
There has been some criticism of privacy laws and claims that these laws are bad for businesses.
Compliance programmes cost money but companies can’t expect to make money from an asset, like data, and not spend money to make sure their actions are compliant.
However, the key requirements in privacy laws, as mentioned above, are mostly in line with common sense, so a compliance programme should never be a bottomless pit.
Moreover, even if the legal pressure was not starting to mount, the ethical and awareness pressure would.
Yes, there is a compliance cost, but this should be seen as part of the cost of doing business with data, and building and preserving a brand’s reputation. As a compliant organization, you will be able to market your adherence, which in turn can help boost sales and customer loyalty.
Nearly all organizations worldwide are now recognizing that privacy investment is translating into upside business benefits. Organizations that have invested to get ready for the GDPR are experiencing fewer and less costly data breaches, they are seeing less sales friction due to customers’ privacy concerns, fewer data records are impacted, system downtime was shorter.
These are some of the findings from the recently released Cisco 2019 Data Privacy Benchmark Study, which draws on data from a double-blind survey of more than 3,200 security and privacy professionals across 18 countries. The study is the first in a series exploring key issues that organizations are facing in privacy and cybersecurity today.
According to the Cisco study, 97% of companies say that they are receiving further benefits from their privacy investments, beyond just abiding by privacy laws. These benefits include competitive advantage, attractiveness to investors, operational efficiency, and greater capacity for flexibility and innovation.
Three quarters of all respondents said they were receiving two or more of these benefits. Moreover, the majority of companies now say that strong data privacy is a competitive differentiator in their markets.
These results highlight the need for businesses to undergo changes not only to comply with privacy laws, but also to maximise the business benefits of their privacy investments.
Improving data management, boosting customer trust, and experiencing shorter sales delays and less costly data breaches can all be meaningful for your organisation and give you the competitive advantage your business needs to prosper.
The writing is big and bold on the wall. Privacy is not just for Europe…it is the need of the moment for businesses all over the world. The shift is turbulent. But it is one that was inevitable.
Humans invented locks to protect their tangible assets. Now that intangible data is equally precious (if not more), reckless accumulation and processing of the same will be frowned upon, disliked and ultimately viewed as a violation.
Privacy compliance practices streamline operations. And they boost reputation by reducing the risk of breaches. In my opinion, it is not about the effort involved in compliance, it is all about waking up early to the fact that compliance may very well be YOUR next big competitive advantage.
Convert has already laid a solid foundation. How about you?