In 2019, data privacy was a big topic of discussion for everyone from the regular Joe/Jane user to the Supreme Court and the European Union. Now that we have crossed over the bridge to 2020, data privacy in the U.S. is about to become just as important as data security.
Although some U.S. based businesses have been following the European Union’s (E.U.) General Data Protection Regulations (GDPR) since it was implemented and enforced for E.U. citizens on May 25th, 2018, many U.S. businesses have not. Now that U.S. data privacy laws have been updated to stay in line with GDPR data privacy standards, businesses need to stay informed on the predictions for the future to steer clear from compliance fines in the future. Let’s review some of the predictions for what is in store for U.S. data privacy laws in the future to ensure that U.S. based businesses make the necessary changes to protect their users’ personal data.
The Push For U.S. Data Privacy Laws
In the wake of the E.U. passing GDPR in 2018, the U.S. has been determined to follow suit in developing its own comprehensive data privacy laws. These laws aim to have a big focus on strengthening protections for consumers and establishing a national data privacy framework to enable continued innovation and growth in the digital economy. The key takeaway from these prospective data privacy laws is that they are focused on making sure that American companies can continue to lead a globally competitive market in the future.
The national data privacy laws are slated to allow U.S. leadership to continue to excel in innovation without companies having to comply with a patchwork of separate data privacy laws for each state. Unfortunately, until national laws are enacted, a patchwork of state-specific data privacy laws will be what U.S. companies need to follow. Currently, all 50 states have their own data breach laws with clashing compliance obligations.
Privacy legislation has been met with bipartisan support on Capitol Hill. However, lawmakers and tech companies still battle over whether federal law should go beyond state laws, or override or weaken state requirements. It remains to be seen whether 2020 will be the year a federal data privacy law could reach the president’s desk; until then, U.S. companies need to stay compliant with their state’s data privacy laws.
The California Consumer Protection Act (CCPA)
First on the agenda of discussion is one of the first privacy laws passed after the GDPR, the California Consumer Protection Act (CCPA). CCPA went into effect in California on January 1st, 2020, acting as the blueprint for other bills in the US. In short, the CCPA applies to any business that collects and/or processes California residents’ personal data or does business in California. Businesses that are subject to CCPA compliance fall into any one of the following three categories:
- Gross revenues in excess of $25 million
- Buy, receive, sell, or share personal information of 50,000 or more consumers households, or devices
- Gain 50% or more of annual revenue from selling consumer’s personal information
Businesses that fall within any of these categories are required to respond to verifiable consumer requests with the appropriate information. This includes, but is not limited to any categories of data related to a consumer’s personal information, any third-party data that has been accumulated while the consumer was browsing the company’s website, and more. Users are also given the right to request access to their data and even delete their personal information if they choose.
The CCPA also requires that businesses display a “Do not sell my personal information” link on their homepage to provide consumers with more transparency into their data privacy. What’s more, is that businesses that are unable to comply with CCPA can be fined up to $7,500 for each individual violation by the U.S. Attorney General. This is why many companies are scrambling to get compliant with CCPA.
The Difference Between CCPA and GDPR
If you’re out looking for major discrepancies between CCPA and GDPR, you’re probably not going to find many. Although CCPA has been referred to as the “American GDPR” or sometimes “California’s GDPR,” the Californian legislation has a slightly different focus compared to its European counterparts.
While CCPA gives a greater focus on the commercial uses of data, GDPR focuses more on all forms of data processing. CCPA also functions on an ‘opt-out’ basis whereas GDPR consent requires an “opt-in” from the individual. Overall, the GDPR and CCPA have marked a new age of heightened data privacy awareness in the E.U. and U.S., holding businesses liable for shoddy data privacy practices and giving consumers control over how their personal information and data is used when they surf the web.
What GDPR does best is to prevent consumer data from getting into the wrong hands and ensure that it’s obtained through consent. Companies that operate under the GDPR umbrella of compliance must also respect the rights of individuals as data owners at all times. With GDPR and CCPA now in full effect, there has become an ever-growing need for businesses to safeguard and manage the sensitive consumer data that they collect and use.
Even though GDPR has made a considerable impact on the rest of the world, it should be noted that less than one year since its introduction an alarming number of businesses have yet to comply. Some have speculated that this could be foreshadowing for CCPA’s future while others feel that CCPA will be able to stand alone as a superior solution that other countries will emulate in the future.
Compliance Isn’t Going to Get Easier
As more and more companies dedicating greater amounts of their IT budgets towards compliance, many wonder when are the regulatory hurdles going to stop forming regarding data privacy? The answer to this question is just as complex as GDPR and CCPA as the regulations are still in their infancy stages. This makes it crucial for businesses of all sizes to get its privacy safeguards into shape before the legal, financial and reputational risks of GDPR and CCPA become reality.
Businesses that are already GDPR-compliant will enjoy an advantage when meeting CCPA regulatory needs, but they still must apply themselves towards fulfilling the law’s unique requirements. Companies that have not yet undergone a digital transformation may find that some of their manual processes simply do not work in the CCPA structure. As these compliance roadblocks surrounding data privacy continue to crop up from GDPR and CCPA, many companies will likely feel the pressure to have a digital transformation and automate their processes to ensure compliance.
Data Privacy Laws in Other U.S. States
No matter which state you do business in, it’s important to be prepared to comply with upcoming data privacy laws. Although the main topic for discussion right now has been California’s CCPA data privacy laws, there are other U.S. states that have already enacted (or are slated to be enacted) similar data privacy laws. Here are some you should know about.
New York Privacy Act
The New York Privacy Act entered the state senate in May 2019 and even though it was not approved on its first session, it may have another chance in 2020. If approved, this act would grant the strictest controls over personal data in the entire country.
This bill shares many similarities with CCPA in that the user can better understand who is holding their data and request that the entity either delete or correct their personal information. But, there are also many ways that New Yorkers get more control over their data privacy than their West Coast counterparts.
For one, the New York Privacy Act would give New Yorkers the right to sue companies directly over data privacy violations. In comparison, CCPA only deals with data privacy that is left to the state’s office, leaving law enforcement out of the enforcement equation.
The New York Privacy Act also allows state citizens to pursue personal litigation against companies of any size for data privacy infractions. This pales in comparison to CCPA’s description since that only applies to businesses that gross more than $25 million annually. If this act is signed into law in 2020, we can certainly see that
Maine Broadband Data Privacy Law
Maine (LD 946) – Maine’s new Broadband Data Privacy Law, otherwise known as the Act to Protect the Privacy of Online Consumer Information, will take effect on July 1, 2020, prohibiting ISPs from using, selling, or distributing consumer data without their consent. This data privacy law has been hailed as the strictest consumer privacy protections in the nation as it places some of the toughest burdens on regulated entities to protect the data of their consumers.
Once it takes effect, the act will require ISPs to provide customers a “clear, conspicuous and non-deceptive notice” of the ISP’s obligations and the customer’s rights. Notably, the Act only regulates Maine’s approximately 80 broadband internet service providers and applies only to ISPs serving customers that are physically located and billed for service received in the State. With this common-sense law, Maine people can access the internet with the knowledge and comfort that their personal information cannot be bought or sold by their ISPs without their express approval.
The law is unlike any in the nation as it requires an ISP to obtain consent from a consumer before sharing any data. Only California has a similar law on the books, but it requires consumers to “opt-out” by asking their ISP to protect their data. Maine’s Broadband Data Privacy Law, on the other hand, does not allow an ISP to offer a discounted rate to customers who agree to share or sell their data.
Nevada Senate Bill 220
On May 29, 2019, the Governor of Nevada signed Senate Bill 220 to improve internet privacy for consumers by prohibiting the sale of customers’ private data. The new law went into effect on October 1, 2019, and amends the state’s existing law to require websites and online services to post privacy notices to users regarding access to their information.
This data privacy bill may be the first ripple of a tsunami of state data privacy standards that could be enacted nationwide. Although CCPA and Nevada’s SB 220 may seem similar, it was different from its West Coast neighbor as the bill required organizations who run websites that collect and maintain data to comply three months prior to CCPA.
Website operators under Nevada SB 220 are also required to respond to consumer requests to have their personal information destroyed or changed at least 60 days after a request is submitted and allows a business an additional 30 days (total of 90 days). In comparison, the CCPA gives business just 45 days to respond to requests but permits them to take an additional 90 days if needed to respond.
The Evolution of U.S. Data Privacy Laws
To sustain compliance, digital businesses must be aware of all current state, federal and global data privacy laws as well as future regulation in the works. If you’re not aware of the scale and scope of the data privacy laws that are being developed in the U.S., your business could possibly fall victim to prey to compliance failure. This could mean a hefty fine that can impact your bottom line financials while also taking a big hit to your reputation.
Taking a proactive stance to maintain compliance with GDPR, CCPA and/or any other U.S. state’s data privacy law now will put you in control when it comes time to comply with further statutes and regulations. Even if you don’t think that any of these data privacy laws apply to your business today, it makes sense to apply their standards anyway.
At the end of the day, protecting your customers and clients is the name of the game. By protecting them, you will ultimately earn their trust in and keep your business and brand reputation high while steering clear from compliance fines.