Gigya is now SAP Customer Data Cloud. Learn more
Forrester logo Download the report

Common Threads between GDPR and Other Emerging Data Privacy Laws

When it comes to optimizing consumer data privacy, there’s no rest for the weary business.

GDPR enforcement is just weeks old, but already there are new regional privacy regulations sending shockwaves throughout the business technology community. What are these regulations and what impact will they have on your operations? Let’s take a look.

Is GDPR Coming to California?

The California State Legislature passed Assembly Bill 375 as a measure to increase the rights of consumers for the collection and processing of their personal data by businesses.

In late June, the state of California passed the California Consumer Privacy Act of 2018 into law. This legislation applies to any company with at least $25 million in annual revenue or 50,000 customers in California — or any company that derives at least 50% of its revenue from selling data. It requires these businesses to:

  • Tell customers what data they are collecting about them
  • Show where they sold customers’ personal information (including third-parties)
  • Stop selling the data to third parties when customers request it
  • Delete all personal data on request

Under this new law, which is set to go into effect in 2020, Californians will have expanded rights to sue companies over data breaches. If the breach occurs because the company failed to follow reasonable security measures, consumers can seek damages up to $750 per person, per breach.

These expanded rights have limits. The law requires plaintiffs to show they had been economically harmed by the data breach. It also requires them to provide written notice to companies about their intentions and a 30-day timeframe for the companies to address the issue(s). If the company fixes the problem successfully, the lawsuit cannot proceed.

Any discussion of this law should include the context of its passage. State legislators passed the bill as a way to avoid having a similar proposal appear on the November ballot. Had the lawmakers not acted, the ballot measure would have passed and the language would have been nearly impossible to amend. Yet, since it passed through the state government, the law can be altered through a simple legislative majority.

For this reason, it’s highly likely this law will evolve from its current state. For now though, technology associations, lobbyists and lawmakers are all assessing the regulation’s impact before they decide to pursue changes.  

Is Another Data Protection Regulation Wave Coming to the EU?

The new EU ePrivacy affects a major update to the previously established ePrivacy Directive, broadening the scope of the communications, marketing activities and data attributes it applies to.

California isn’t the only region pursuing major changes to the data privacy landscape.

The EU is not resting on its laurels after beginning GDPR enforcement. Instead, they’re putting the finishing touches on an update to their ePrivacy Directive.

The update is planned to take effect later in 2018. While the final language is still being defined, the general intention of the new rules are well known: to strengthen the privacy rights of EU citizens concerning electronic communications.

Under the updated law, any type of communications, including emails and text messages, will require customer consent before being used. This means marketers will not be able to send emails or text messages without prior permission from each email or mobile account holder in the EU.

In addition, any firm that controls customers’ private electronic communications – from text messaging, to video chat apps, to IoT devices, to multiplayer video game providers and beyond – will be required to obtain explicit permission from customers for a specific, agreed-upon purpose before placing tracking codes on devices or collecting data about communications, including metadata. It also seeks to ensure that the customers’ communication experiences will be unaffected even if they don’t consent.

The Takeaways for Your Business

It’s still early in the game for both of these new regulations. The California law is expected to undergo massive changes between now and its 2020 implementation date. The ePrivacy regulation has hit a major snag as technology heavyweights and lobby groups have put up fierce resistance to its final passage.

But thanks to their common links with the GDPR, we can identify elements of a successful global consumer data privacy strategy for your business.

For starters, ensure every point of consent collection, whether its for terms of service, privacy policy updates or communication preferences, states your purpose for collecting the data. This will address requirements for the GDPR and the new ePrivacy rules. It will also enhance transparency in your interactions with customers, which will help strengthen the trust they have in your business.

Another foundation for your global consumer data privacy strategy: ensure you can respond to customer requests for the deletion of data with speed and accuracy. This will address the GDPR’s right to erasure as well as the California law’s deletion requirements. However, as we’ve explained before, addressing the right to erasure is a multi-step process that includes:

  • Understanding where all the personal data for a customer resides
  • Deleting all the necessary data effectively
  • Retaining relevant and searchable audit logs  so you can prove adequate responses to customer requests

Taken together, all three of the regulations demonstrate the need for a holistic approach to customer data management. By collecting, storing and managing all of your organization’s customer data in a single repository, your business will be better able to understand what data is being collected from customers, where it resides, and what to do if a customer or auditor requests records.

To learn more about the foundational elements of a best-in-class global consumer data privacy strategy, register for our upcoming webinar hosted by the International Association of Privacy Professionals.

By Natalie Monetta

Meet us at

Gartner IAM
Las Vegas

December 3-5, 2018

View Event >
Gartner Summits - Join us December 3-5, 2018 | Las Vegas, NV

Gigya has updated its Privacy Policy as Gigya, Inc. has been acquired by SAP America, Inc. and Gigya has updated the information regarding how we collect and use your Personal Data. You can see the updated Privacy Policy here.