When it comes to optimizing consumer data privacy, there’s no rest for the weary business.
GDPR enforcement is just weeks old, but already there are new regional privacy regulations sending shockwaves throughout the business technology community. What are these regulations and what impact will they have on your operations? Let’s take a look.
Is GDPR Coming to California?
In late June, the state of California passed the California Consumer Privacy Act of 2018 into law. This legislation applies to any company with at least $25 million in annual revenue or 50,000 customers in California — or any company that derives at least 50% of its revenue from selling data. It requires these businesses to:
- Tell customers what data they are collecting about them
- Show where they sold customers’ personal information (including third-parties)
- Stop selling the data to third parties when customers request it
- Delete all personal data on request
Under this new law, which is set to go into effect in 2020, Californians will have expanded rights to sue companies over data breaches. If the breach occurs because the company failed to follow reasonable security measures, consumers can seek damages up to $750 per person, per breach.
These expanded rights have limits. The law requires plaintiffs to show they had been economically harmed by the data breach. It also requires them to provide written notice to companies about their intentions and a 30-day timeframe for the companies to address the issue(s). If the company fixes the problem successfully, the lawsuit cannot proceed.
Any discussion of this law should include the context of its passage. State legislators passed the bill as a way to avoid having a similar proposal appear on the November ballot. Had the lawmakers not acted, the ballot measure would have passed and the language would have been nearly impossible to amend. Yet, since it passed through the state government, the law can be altered through a simple legislative majority.
For this reason, it’s highly likely this law will evolve from its current state. For now though, technology associations, lobbyists and lawmakers are all assessing the regulation’s impact before they decide to pursue changes.
Is Another Data Protection Regulation Wave Coming to the EU?
California isn’t the only region pursuing major changes to the data privacy landscape.
The EU is not resting on its laurels after beginning GDPR enforcement. Instead, they’re putting the finishing touches on an update to their ePrivacy Directive.
The update is planned to take effect later in 2018. While the final language is still being defined, the general intention of the new rules are well known: to strengthen the privacy rights of EU citizens concerning electronic communications.
Under the updated law, any type of communications, including emails and text messages, will require customer consent before being used. This means marketers will not be able to send emails or text messages without prior permission from each email or mobile account holder in the EU.
In addition, any firm that controls customers’ private electronic communications – from text messaging, to video chat apps, to IoT devices, to multiplayer video game providers and beyond – will be required to obtain explicit permission from customers for a specific, agreed-upon purpose before placing tracking codes on devices or collecting data about communications, including metadata. It also seeks to ensure that the customers’ communication experiences will be unaffected even if they don’t consent.
The Takeaways for Your Business
It’s still early in the game for both of these new regulations. The California law is expected to undergo massive changes between now and its 2020 implementation date. The ePrivacy regulation has hit a major snag as technology heavyweights and lobby groups have put up fierce resistance to its final passage.
But thanks to their common links with the GDPR, we can identify elements of a successful global consumer data privacy strategy for your business.
Another foundation for your global consumer data privacy strategy: ensure you can respond to customer requests for the deletion of data with speed and accuracy. This will address the GDPR’s right to erasure as well as the California law’s deletion requirements. However, as we’ve explained before, addressing the right to erasure is a multi-step process that includes:
- Understanding where all the personal data for a customer resides
- Deleting all the necessary data effectively
- Retaining relevant and searchable audit logs so you can prove adequate responses to customer requests
Taken together, all three of the regulations demonstrate the need for a holistic approach to customer data management. By collecting, storing and managing all of your organization’s customer data in a single repository, your business will be better able to understand what data is being collected from customers, where it resides, and what to do if a customer or auditor requests records.
To learn more about the foundational elements of a best-in-class global consumer data privacy strategy, register for our upcoming webinar hosted by the International Association of Privacy Professionals.
By Natalie Monetta