The introduction of the EU General Data Protection Regulation (GDPR) in May marked a turning point in the data privacy rights of consumers. There’s now speculation that this regulation will be the catalyst for tighter controls in other regions, empowering citizens with new rights, and assigning organisations with new responsibilities, in data protection.
Take California, for example, its state legislature passed a new digital privacy law granting consumers more control and insight into the spread of their personal information online. This latest development could be a further indication that more comprehensive data privacy laws are about to become more common in the coming years globally. Once again, this illustrates the importance that all businesses take their data protection responsibilities seriously.
The California Consumer Privacy Act (CCPA), which comes into effect on 1st January 2020, is considered to be the strongest, most stringent privacy protection measure in the US, according to legal experts. Whilst it is not as expansive as the GDPR, California residents will have the power to ask companies to share all the data that has been collected on them.
Commentators are now discussing how the CCPA compares to the GDPR, but its true impact won’t be known for some time. As with the GDPR, the CCPA defines personal information as anything “capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer of household”, showing that the intent of both laws is the same. The differences, however, are worth noting.
Firstly, with the CCPA, not all businesses responsible for personal information will be affected. Those subject to the law must either have annual gross revenues in excess of $25 million, process the information of 50,000 or more consumers, or derive at least 50% of their annual revenues from the sale of personal information. A second distinction concerns the rights of citizens to bring action against a business; under the CCPA damages could be awarded to individuals, in the event of a breach.
>See also: What are US companies’ view on GDPR?
Predicting the future
California has one of the largest economies in the United States and the introduction of this act is likely to have a ripple effect, spreading out to other states. Other outcomes we can potentially expect are:
- Early consumer interest in new privacy rights: Strong public interest in the GDPR has led to reports of organisations being overwhelmed by data subject access requests from customers. Organisations that fall under the new California privacy act should prepare themselves for an immediate influx of requests once the law comes into effect. To meet this challenge, organisations must ensure they can search for specific data across the entire system, to avoid being overwhelmed.
- Increased board-level focus on data protection: A positive consequence of the GDPR, and the increased scrutiny on data protection, has been that security and privacy issues have moved to the top of the corporate agenda, resulting in more budget and resources allocated to cyber security.
- California will become a catalyst for data privacy with at least five more states looking to propose or pass data privacy laws by the end of 2018. With momentum for greater rights for consumers gathering pace, it probably won’t be long before other regions follow suit. Given the size of the Californian market, it makes sense for all businesses to re-shape their policies in line with these requirements. This means they’re well prepared if this does, indeed, set the precedent for more sweeping data protection laws in other jurisdictions.
- Higher fines for violations: Under the current laws, companies are liable for much less than they are under the GDPR. Many experts think the CCPA will continue to develop before it’s finalised, so it’s possible the fines for non-compliance will increase to give the legislation more impact.
>See also: Should the US adopt GDPR?
The silver lining
The good news is that companies which have already prepared for the GDPR will have an advantage as they will have processes and policies in place to identify the data covered under the new California law. Companies who previously didn’t fall under the GDPR but now face the CCPA can also learn a lot from those who have already gone through the compliance process.
Organisations need to be able to locate all the data they have on a specific individual and have the ability to delete it if necessary. For many, this means hunting down information stored on-premise and in cloud data storage – no mean feat as data has a way of multiplying across the network as employees copy and reuse materials. In the run-up to this new legislation, companies should proactively remove or archive data that is no longer required, auditing the information that is kept to ensure it’s secured.
Eventually, these new data protection laws will impact any and all businesses regardless of their location, so it’s important to keep up to date on legislative developments as the implications for routine data collection and privacy are expansive. Although the introduction of the CCPA is more than a year away, organisations can learn from their EU counterparts that it’s never too soon to start preparing: the road to compliance requires careful planning, co-operation and communication across different departments which should not be under-estimated. It can also serve as an opportunity to overhaul out-of-date security policies and take a fresh look at how your organisation approaches data protection, which can only be good news for your employees, your customers and your stakeholders.
>See also: How do you solve a problem like Facebook?
By Matt Lock, Director of Solutions Engineers, Varonis
Nominations are now open for the Women in IT Awards Ireland and Women in IT Awards Silicon Valley. Nominate yourself, a colleague or someone in your network now! The Women in IT Awards Series – organised by Information Age – aims to tackle this issue and redress the gender imbalance, by showcasing the achievements of women in the sector and identifying new role models