Compliance is Coming for US... Businesses
Since the advent of the internet, the storage and use of private data has been as cavalier as the Wild West. Businesses have been free to collect any data they can get their hands on, build massive customer databases, and then manipulate or even sell the information for their benefit.Private individuals, on the other hand, never really knew what information businesses had on them or what was done with it once it was collected. People often are creeped out by how similar their social media ads have been to their recent internet searches or even frustrated by spam emails from random companies that got ahold of their contact info. In the past nothing could be done about this - that is all about to change.
Rampant cases of data misuse and severely lacking security protocols from companies like Google and Facebook have brought data privacy and security into the spot light and this genie refuses to be put back in the bottle. It is no longer a question of whether or not new privacy laws will be passed but rather a question of when, and US companies need to be prepared.
GDPR Sets the Bar, CCPA Leads the Way
Back in 2016 the European Union passed the General Data Protection Regulation and it went into effect on May 25th of 2018. The law applies to any business that markets goods or services to EU residents and accomplishes two things. First, it grants individuals rights over their data, and second, it regulates how businesses can store and process data, and establishes better standards for protecting that data. Of course, like any good law, there are hefty fines in place for violators. The law is significant because it is really the first law to give data ownership back to the individual and places a much greater responsibility on companies that wish to use their data.
This is all well and good, but, if this is a European law, why should American businesses be concerned?
Read that last paragraph again and see if you can catch it. ALL businesses servicing European residents must be in compliance. This means any US-based company that wants to do business overseas better have done their GDPR homework to ensure that they are not violating any of these regulations.
Now you might be thinking: I don’t operate in Europe so I am safe! WRONG.
If you thought America would sit back and let Europe shape the future of privacy and compliance you are sorely mistaken. America, after all, is no stranger to compliance laws like the GDPR, and we have been dealing with them for years. Heath care providers and financial institutions operating under HIPAA and the Gramm-Leach-Bliley Act should recognize many similarities between the requirements of GRPD and their respective laws. With the jumbled patchwork of laws already in place, the challenge in the US has always been, how do we create one unifying law of the land? Well, the GDPR gave us the rubric and California, as they typically do, took the lead and passed the California Consumer Privacy Act.
The CCPA is essentially California’s take on the GDPR and will go in to full effect January 1, 2020. Like its European counterpart, the law’s first priority is to give data ownership back to the people. Under the CCPA, California residents will be able to control what personal information can be collected and what businesses are allowed to do with this information once they have it. Like in the GDPR, the next priority in California was to create specific standards a company has to meet in regards to properly securing and handling this data and then communicate these standards to the organizations that store and process data. The CCPA is the first law of its kind in the US but this law didn’t just get the ball rolling across the country, it shot the ball out of a cannon.
Since the CCPA passed, tech giants like Google, Amazon, and Apple have been screaming for legislators to produce a federal digital privacy law that encompasses the entire country.  Some companies, like Intel, have even gone as far as writing the legislation for them: Intel's US Privacy Bill.
Now why would they want to pass a law that places massive regulations on their companies?? Sadly, it’s not out of the goodness of their heart, but simply because they feel that a federal law will be less restrictive. The CCPA has been criticized for being anti-business, and these companies would love to see a more industry-friendly federal law passed before the CCPA goes into full effect in 2020. The race is on and we will have to wait to see who gets there first.
The dominoes have already begun to fall - Europe set the stage, California took the baton lighting a fire under the tech giants, and now that big businesses have the baton they are ready to run – FAST.
Putting on Your Privacy Pants
So, you’re convinced privacy compliance is really happening, but what exactly does that mean for your business? We don’t know exactly what a federal US privacy law might look like, but if Europe and California’s laws are an indicator, we can reasonable expect to see:
1. Individual Rights:
Right to Access – Individuals will be able to ask organizations what info they have on them, how it is being used, and, who has access to it.
Right to Erasure – Commonly referred to as the “Right to be Forgotten” gives the individual the power to have all data on them deleted from company record and the company must comply within a given time frame.
Right to Restriction of Processing – Similar to the right of erasure but instead of deleting, the individual can tell the company what specific processes they may use their data for.
Repercussions - These individual rights put much more pressure on businesses to only use data for their stated intended purpose because now anyone can choose to pull the plug at the first sign of misuse.
2. Corporate Regulations:
Risk Assessment – To be fully compliant, companies will be required to run a full risk assessment to identify potential threats and vulnerabilities and the likelihood of them occurring. Plans and policies must then be built to prevent these things from happening. This assessment must then be reviewed on a regular basis and updated to fill gaps as they occur.
Compliance Officer or Controller – CCPA, GDPR, and current industry compliance laws all require a business to assign someone as the compliance officer. This person is tasked with implementing the risk assessment and will be responsible for training the staff and ensuring that the policies are followed.
Security and Safeguards – Companies will be required to meet a certain set of security minimums. This could include anything from technical safeguards like data encryption and storage backups, to physical safeguards like security cameras and locks for server rooms. For a more in-depth look, check out the various safeguards required under HIPAA.
Notification – In the event of a data breach or any situation where individual data is compromised, the company is obligated to notify the affected party. The company must do this as quickly as possible, and, depending on the size of the breach, they may also have to notify the FTC or another governing body. Transparency is key when dealing with a client’s personal data.
Repercussions - BUDGET FOR THE FUTURE! These regulations ARE coming, and companies must start thinking about what they must do to be compliant. Most companies have never run a true risk assessment on themselves and they might have to invest significant funds in technology to meet the standards of the various security requirements. Fortune 500 firms already affected by GDPR set aside an average of $1,000,000 for technology and that figure doesn’t factor in what they have budgeted for legal counsel or the new compliance officer position .
Privacy and data security is going global and you will have to either play ball or hang out with these guys:Do you want to be the company playing catchup or the company that cares about their client’s privacy and leads the way in data security? I know understanding the CCPA and GDPR can be daunting and the compliance process can be painstaking, but you can either go through the process on your terms or be forced into compliance with the threat of fines and a looming deadline. The choice is yours.