State Privacy Regulations Are Long Overdue: How Can Companies Prepare?
Cyberattacks and data breaches are in the news almost every day, frequently targeting government agencies, businesses and consumers. According to a national survey from the Pew Research Center, a majority of Americans (64 percent) have personally experienced a major data breach, and large shares of the public lack trust in key institutions – especially the federal government and social media sites – to protect their personal information.
In an effort to put some element of control back into consumers’ hands, in May 2018, the European Union introduced the GDPR regulation – the General Data Protection Regulation – a comprehensive set of rules designed to give EU citizens more control over their personal data, and simplifying the regulatory environment for businesses. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. The move was a major pivot towards protecting individuals, and a legislative stake in the ground by the EU to protect personal privacy.
The United States, on the other hand, though fully capable of driving a nationwide privacy standard, lacks a single, comprehensive federal law that regulates the collection and use of personal information. It has not been a legislative priority at the Federal level. Instead, in lieu of federal privacy regulations, many states are making their own – and each state will have slightly different requirements.
Clearing the Confusion: GDPR vs. CCPA
In January 2020, the California Consumer Privacy Act (CCPA), the closest thing to its European counterpart and the most comprehensive data privacy law in the country so far, will go into effect. All for-profit companies that do business in California and who meet certain thresholds will be required to be compliant by January 1st.
There is an understandable amount of confusion around CCPA and GDPR. With CCPA, there is a greater focus on the commercial uses of data, as opposed to all forms of data processing; in addition, CCPA functions on an “opt-out” basis, whereas GDPR consent requires an “opt-in” from the individual. Also, the State Attorney General has the sole power to enforce the law and to impose civil fines of $2,500 per violation (or $7,500 for each intentional violation). With every person whose data is breached counting as a violation, the stakes are high for large organizations serving millions of California residents, and, unlike the GDPR, CCPA provides no caps on civil penalties.
While Californians will have greater privacy rights come January, the CCPA at present lacks clarity around methods of protection and the concept of deidentification (making information no longer pertain to an individual consumer or household). Unlike GDPR, which lists the specific personally-identifying data elements requiring protection, CCPA broadbrushes this by requiring that any data that can directly or indirectly identify its subject must be protected. Further, the law states that “personal information” excludes “publicly available” information which is lawfully made available by federal, state or local government records; but how the courts interpret “personal” vs. “public” information remains to be seen.
Ever since the Cambridge Data Analytica scandal in 2018, other states in the U.S. have jumped on the CCPA bandwagon with their own attempt at nuanced legislation, such as Maryland’s Online Consumer Protection Act or New York’s Right to Know Act, but California’s is the most comprehensive data privacy law that has been passed so far. Each state has a different mix of industries and corresponding priorities. California is the tech capital of the world, and its companies have created many of the technologies that have caused so many of the privacy issues today. California’s state legislature realized this and decided to take a leadership position in protecting citizen’s privacy.
The CCPA is quite complex in terms of the various data policies that can be set. GDPR uses what’s called “codes of conduct” to provide businesses with guidance on the GDPR’s requirements, and to offer third-party oversight as a check on data handling practices.
Next Steps for Businesses Seeking Compliance
The patchwork of regulations makes it a challenging process for large, global or even national institutions to comply without complexity or without inhibiting growth and innovation.
My advice to businesses that want to stay on the right side of the law would be:
- Recognize it’s about protecting the data itself. The data is always flowing, whether at rest (at the company collecting), in use or in motion (moving to a third-party data warehouse). Organizations need to have a security posture that protects the data itself so that even if a breach occurs, the data is rendered useless by bad actors.
- Identify and select an executive in the C-suite to drive data protection strategies throughout the organization. It must be a company-wide mandate across all silos to be effective.
- Empower that executive to set up policies and controls that are enforceable throughout the organization.
GDPR requires every organization that processes or stores personal data for EU citizens hire a DPO – Data Protection Officer – responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. This may not be a federal or state requirement in the U.S. just yet, but I believe it’s coming, and would be a smart practice for organizations to get ahead of the game and appoint someone in their organization to fill that role.
For a long time, it may have seemed like consumers virtually had no power, and that businesses could do anything they want with individuals’ private information with nearly no repercussions – but that time is rapidly expiring. With increased state regulations, it is clear that businesses must step up their security game by pseudonymizing their data, rendering the data unidentifiable, so when that data travels across state lines and organizational boundaries, the data is still protected, as well as the business and its reputation. Every business needs to adopt a data-first security posture by protecting the data down to every letter and number or soon risk major penalties for harms caused by privacy or security failures.