Government Relations Newsletter: Vol 10 Iss 5 "Changes to Privacy Laws"
Review of Recent Changes to Privacy Laws
Written by: Jim Bibles, SVP Risk, Aperia Solutions
|GDPR. CCPA. LGPD. You may (or may not) have heard of these or other data privacy regulation acronyms; each represents a significant shift in the way consumers’ personal information is being collected, stored, and processed around the world. These regulations are complicated and carry significant noncompliance penalties for you and your merchants; if your organization has not done so already, it should review its data privacy protocols immediately.|
Why It’s Important
Consumer data privacy regulations are almost universally based on where the consumer is located. This means that organizations located in Texas may be subject to regulations enacted to protect the data privacy rights of California consumers. Today, organizations of all types collect a lot of data: consumer names, email addresses, and phone numbers, in addition to web-based information such as the consumer’s IP address when they visit your website. All of this information can be in scope for purposes of data privacy regulation, and every time you collect, process, or store consumer personal information you must ensure you act in compliance with the relevant data privacy regulation(s).
What Do Privacy Regulations Do?
Though each is different and filled with nuanced detail, data privacy regulations generally focus on three central tenets:
- Consent: providing consumers with the choice of whether an organization may collect their data. Generally, regulations determine whether they’re an “opt-in” or “opt-out” jurisdiction; the former requires an organization to obtain consent prior to collecting, storing, or processing a consumer’s information, while the latter assumes a consumer has consented but requires an organization to provide a mechanism for the consumer to revoke that consent at any time.
- Access: depending on the jurisdiction, regulations provide certain rights for consumers to know, obtain, restrict, or delete the information that an organization has collected about them. Consumers can make access requests that require an organization to respond in a specific period of time, which varies by jurisdiction.
Why Are Organizations On Edge About Data Privacy Laws?
Organizations around the world have spent billions of dollars trying to get compliant with various regulations, but continue to face two primary challenges:
- Change: the regulatory environment changes very frequently. California, for example, is introducing its second privacy regulation in as many years, after significantly modifying its first regulation three times after enactment. Dozens of US states, and various countries around the world, have implemented or are in the process of enacting data privacy regulations, each with its own nuances.
- Scalability: data privacy regulation enforcement is similar to sales tax; what matters is where the consumer is located. Generally, when a Texas company sells a product to a California customer, it must collect and remit California sales tax on that transaction. Similarly, if a Texas company collects the personal information of a California resident, it should do so in compliance with California’s data privacy regulation. The more regulations come into effect, the more challenging it will be to maintain compliance.
- Cost: challenges and complexity lead companies to another “c” word: cost. The expense of continual compliance is significant; the only thing more expensive may be the potential penalties for noncompliance.
How are Data Privacy Regulations Being Enforced?
State and federal governments are putting teeth into these regulations by levying significant fines and enabling private citizens to sue companies for violations. While the initial foray was limited to the EU hitting tech companies such as Facebook, Google, Amazon and Twitter with GDPR fines, we are now seeing California jump and arena as exhibited in the recent $1.2 million enforcement on Sephora for violating the California Consumer Privacy Act (CCPA).
The fines and penalties appear to be just getting started. California recently announced its $20 million investment in a data privacy task force, whose mission is to enforce data privacy regulations. Fines in California(CCPA 1798.155.) can reach $7,500 per violation, which each compromised consumer record being a potential violation. That means 100 compromised consumer records could result in a $750,000 fine. Even more challenging, plaintiff’s attorneys are filing class-action lawsuits against companies based on allegations of noncompliance. Organizations of all shapes and sizes should be aware of their compliance obligations. That means not only are they at risk of regulatory fines, but now the cost of defending themselves.
How Can My Organization Become Compliant?
While every organization will have different requirements to achieve compliance, we’re listing four best practices below that can help as you chart your course:
- Understand your data. It’s important to know how you’re collecting data and whether it’s relevant to your business operations; this practice is called “data minimization”.
- Leverage third-party technologies. Rather than build your own privacy framework from scratch, it may be helpful for you to leverage out-of-the-box data privacy platforms that can assist you in building a scalable, audit-ready solution.
- Prepare for the future. Unfortunately, there is no “one-size-fits-all” approach to data privacy compliance. Laws across the country and the globe are being implemented and updated regularly, and it’s hard to keep up. As internal and external change occurs, businesses need to update their privacy and security programs accordingly.