Data Regulation a Work in Progress
In the US, data regulation is still a work in progress. Since 2018, several states introduced and passed legislation that mirror some of the protections provided by the GDPR. Others, in particular the California and to a lesser extent Vermont laws, aim to offer a broader protection to consumers and go beyond data breach notification rules. Much like the GDPR, the comprehensive California Consumer Privacy Act gives users a host of new rights when it comes to controlling their data. As of January 1, 2020, California residents will have the right to:
Know what personal data is being collected Know whether their personal data is sold or disclosed and to whom Say “No” to the sale of their personal data Access their personal data Request a business to delete any personal information Not be discriminated against for exercising these rights
Another difference with existing privacy laws in most states, is that the CCPA will apply to all for-profit organizations (or entities that control or are controlled by such businesses) —regardless of their location— that conduct business in California and/or possess information on Californian residents. Businesses must comply with CCPA requirements if they meets ANY of the following criteria:
Generate an annual gross revenue in excess of $25 million Possess personal data of more than 50,000 consumers, households or devices Earn more than half of their business’s annual revenue selling personal data
An estimated 500,000 US companies meet one or more of these requirements and thus will have to comply.
Monumental Shift in US Data Privacy Regulation
In the upcoming months, no doubt, all eyes will be on California. Not only are many of the top tech companies based in Silicon Valley and Palo Alto, including Apple, Alphabet Inc. and Google. With a GDP of $3 trillion (2018), it is also the crown jewel in the economy of the United States, ahead of countries like India and the UK. As of January 2020, California will also have the strictest privacy laws of the US, comparable to but also in some ways different from the GDPR. Much like the GDPR, the CCPA qualifies “online identifiers” such as your IP address as personal information, as well as device IDs. A key difference is that the CCPA also considers information that can be linked to “a household” and not necessarily one individual of that household. Surprisingly, it makes a distinction between personal data provided by a consumer (included) and personal data that was purchased or acquired through a third party (mostly excluded), while nonetheless offering an opt-out right for the sale of personal information.
CCPA Compliance Poses Significant Challenges
For most businesses, these privacy regulations require big changes to technology and processes. They need to understand what rules apply to them and figure out how to best manage their data. No surprise, the new CA privacy law will present a number of compliance challenges for organizations of all sizes, whether it’s in terms of the sale of personal information, data subject access rights, data security and security compliance or privacy policy requirements. Unfortunately, most companies seem to lack a clear road map. Privacy technology firm Ethyca recently conducted a study to understand the different ways businesses are approaching privacy and compliance. The report shows that just 12% of the respondents believe they have achieved an adequate state of compliance or compliance readiness, meaning 88% are “not ready”. More than 70% have no engineering solution and rely on man-hours and retrofitted processes. Basic data-mapping is still the greatest concern for early-stage companies. Start-ups are least likely to have formalized data privacy resources and processes. Just like we’ve seen in the Facebook-Cambridge Analytica data scandal, fines easily add up. Under the CCPA, all violators and non-compliant parties can be penalized with monetary fines if a breach occurs. From $750 per affected user in civil damages, to $2,500 for those lacking intent and $7,500 per violation if intentional.