As we head into 2020, the debate over what tech giants do with private consumer information has reached an all-time high. As a result, new laws will fundamentally change how all companies handle customer data.
Much of the legislative movement has come in the wake of Facebook’s Cambridge Analytica scandal wherein the social network allowed a third-party application to scrape and then hand over the data of up to 50 million platform users to the political consulting firm, to help create highly detailed profiles used to micro-target population segments with 2016 election messaging. Outrage over the situation sparked bipartisan efforts across the country to address consumer privacy, including bills in several states and on the federal level aimed at privacy protections.
One of these bills has already been signed into law in California, and in 2020 it will fundamentally change how businesses must handle private data. New York also has new data protection rules with the SHIELD Act and its state legislature is reviewing even more stringent privacy legislation. So, to help you get ahead of the compliance curve, here is a short list of what to know about these and other efforts that are brewing on the privacy front.
California Consumer Privacy Act (CCPA)
The CCPA is a California law going into effect Jan. 1, 2020, that will require any business with $25 million annual gross revenue that has customers residing in the state to disclose exactly how the company uses the consumer data it collects and who it shares it with. This includes transparency on companies’ use of ad tech and targeting to deliver online advertisements.
That means no more vague privacy policies with loophole language.
The law also adds a slew of requirements that closely track to the General Data Protection Regulation in the E.U., which is considered the most stringent privacy regulation in effect anywhere today. Like the GDPR, the CCPA will require businesses to give consumers a way to opt out of any data-collecting activities or any sale of their information. Residents also will have the rights:
- to request a report exactly what information a company has collected about them to date
- be able to correct any wrong information
- to have all of their information deleted altogether
Furthermore, regulations recently proposed by the state’s attorney general are yet to be finalized, so this may not be the extent of the privacy controls going into effect in California.
CCPA will necessitate a major technical overhaul, not the least of which because companies will need to create a secure portal or other mechanism to facilitate and fulfill the requirements of the act. But it’s also an uphill compliance-management problem. As such, companies that fall within the scope of the CCPA will have to decide whether to extend California’s privacy protections nationally – or, deal with the challenge of managing a patchwork of privacy practices tailored to state-level variations.
Microsoft, for instance, is opting for the former, which it is using as a branding opportunity. In a blog post about the law, Julie Brill, Microsoft’s chief privacy officer, praised the law and the “robust control” it gives people over their data.
“We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents,” she wrote in the blog post. “Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.”
SHIELD Act and New York Privacy Act
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act takes effect in March 2020. It does two things:
- Expands the definition of “data breach” to include biometric information
- Enacts stronger consumer cybersecurity requirements for private data
To the latter point, it requires that businesses:
- train employees about security program practices and procedures
- implement comprehensive risk assessment across network and software design, information processing, transmission and storage
- detect, prevent and respond to intrusions and unauthorized access
- dispose of private information within a reasonable amount of time after it is no longer needed for business purposes
Simplify SHIELD Act Compliance with Overwatch. Learn More here.
The New York Privacy Act (NY SB 5642) meanwhile is pending before the state legislature. This is similar to California’s law, offering all of the same GDPR-like consumer privacy protections. However, if enacted, it will apply to companies of any size — even a small home business. And, the Empire state is upping the ante on the enforcement front, giving New Yorkers the right to sue companies directly. (After backlash from industry groups, California dropped this aspect of its legislation and made the state’s attorney general the enforcer, with the power to levy financial penalties as he/she sees fit, tailored to the severity of the violation.)
The New York Privacy Act also would create a special account to fund a new Office of Privacy and Data Protection, which would have the power to recommend penalties to be levied by the state.
Existing State Laws
While the laws aren’t brand-new, Maine, Nevada and Vermont all have privacy legislation on the books already that’s worth noting.
- Maine’s Privacy of Online Consumer Information law went into effect July 1, 2019. It prevents the use, sale or distribution of a customer’s personal information by online companies without the express consent of the customer. The legislation also prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access of their personal information.
- Nevada’s consumer privacy law went into effect in October 2019 and allows consumers to demand that companies that collect their personal information not sell or share it.
- And Vermont’s data privacy law, which went into effect in 2018, requires that companies disclose whether consumers may opt out of data collection, retention or sale of data, and if so, how. It also requires comprehensive data security programs; prohibits data brokers from collecting personal information by fraudulent means, or for the purpose of harassment or discrimination; and bars credit agencies from charging consumers fees for credit freeze protection.
These are definitely not the last strong privacy laws that we’ll see impacting businesses in 2020. Privacy concerns continue to grow as various tech giants land in hot water for misusing their customers’ data. The ripple effect of this comes in the form of building momentum for strong, GDPR-style safeguards on data protections and consumer consent for businesses in every segment and of every size.
Achieving compliance in this shifting landscape requires businesses to streamline the process of incorporating new laws into their practices and ensuring those practices meet the legal standards. Comprehensive data mapping and ongoing management and governance will underpin these efforts – and if that sounds complicated, it’s because it is.
Getting ahead of the curve now, before 2020 gets underway in earnest, will help you have a happy new year – not a penalty-filled one.
Need to comply with data privacy rules in 2020?
Contact High Wire Networks to learn more about Overwatch today!
Email us: firstname.lastname@example.org or call Abbe Gunnink at: 630-635-6717