Companies shouldn’t have to be forced into privacy compliance. They should want to opt-in on their own accord. Complying is a matter of integrity and it shows ethical responsibility.
In this article, we’ll look at the spread of privacy legislation and how businesses can adapt to increasing privacy requirements.
California Consumer Privacy Act (CCPA)
The CCPA is similar to the EU’s GDPR that took effect in the Spring of 2018. As you might have guessed, CCPA is specific to California. It protects residents of the state. However, since virtually everyone in the U.S. and the World does business with California, everyone's business will need to comply with CCPA. Businesses that do not comply with CCPA can be sued $750 per incident by individuals. CCPA doesn’t go live until 2020.
Since virtually everyone in the U.S. and the World does business with California, everyone's business will need to comply with CCPA.
Some considerations for businesses are to ensure that not only is your business compliant but also any vendors and partners. For businesses that store personal data on their servers, the task of compliance will be far more involved. Hiring a consultant is certainly worth contemplating.
As CCPA pertains only to California residents, creating a system just for CCPA and another for everyone else is an option, although an expensive one. More states have privacy acts in the works. Going down the road of creating a system for each state is impractical. It is likely that most privacy regulations will have a common ground, as is the case with CCPA and GDPR. This common ground will help to ease the technological and costs burdens on businesses.
California is the first U.S. state to implement a privacy act. However, other states are taking steps and following California’s lead, including Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico.
General Data Protection Regulation (GDPR)
GDPR was the first major privacy legislation implemented for any nation or region. GDPR is the European Union’s consumer privacy legislation. It allows EU members more control over their data. Businesses must inform EU members of any list those members are subscribed to and how their data is or will be used. Businesses must ensure that user data is used, as stated on the business’ website.
GDPR fines for non-compliance can total 4% of a business’ annual turnover. Cambridge Analytica was fined €500,000, but only because GDPR was implemented after the Facebook-Analytica data scandal occurred. Google was not so lucky. It was sued €50 million by a French firm for not being transparent about how advertising data was being used. That case became the first major GDPR fine for 2019.
GDPR and now CCPA have shown other countries that privacy legislation isn’t just a gimmick. Japan, Brazil, South Korea, and India all have privacy legislation in the works.
Differences Between GDPR and CCPA
CCPA took a few cues from GDPR. But there are some differences between the two. CCPA is more detailed about the use of PII (personal identifiable information), especially when it comes to biometrics.
With CCPA, basically, anything that touches consumer data must be disclosed to consumers.
CCPA also forces companies to open up their internal infrastructure more than GDPR. This part of most companies has always been private.
Developing A Privacy Program
Creating a privacy program is time-consuming and will require the input of executives and managers. Storing data on company servers isn’t a bad thing but does require more resources to manage than using third parties (i.e., cloud-based services) and can be more of a liability. Third parties that handle any customer data must be identified. Every third party should have a privacy policy that is at least as compliant as the company’s privacy policy.
Front-facing privacy policy needs to be created, as well. To be compliant with GDPR and now CCPA, disclosing all parties involved with customer data and how it is handled is a good place to start with any new privacy policy. The current trend in privacy acts and legislation is to be fully transparent about consumer data. This includes disclosing the names of involved third parties, allowing consumers to control the use of their data, and even delete/opt-out (including opting out of any related third parties).
Such functionality requires a technical implementation that can automatically remove consumer data from your servers and third-party servers. If you don’t have the expertise to put together this type of system, a consultant can help with developing a roadmap and implementation.
Build Customer/Consumer Trust
Adhering to GDPR and CCPA is the minimum, required bar for compliance and for building consumer trust. Going further with transparency will continue to build trust. If you keep in mind that consumers want to know everything that is happening to their data, you likely can’t go wrong by disclosing that information and being sure that you consistently disclose any related changes to your privacy policy.