Businesses can no longer ignore the ethical and technical requirements of consumer privacy. With new privacy legislation and acts coming out of U.S. states and countries, non-compliance is a recipe for stiff fines and even public vilification.
Companies shouldn’t have to be forced into privacy compliance. They should want to opt-in on their own accord. Complying is a matter of integrity and it shows ethical responsibility.
In this article, we’ll look at the spread of privacy legislation and how businesses can adapt to increasing privacy requirements.
California Consumer Privacy Act (CCPA)
The CCPA is similar to the EU’s GDPR that took effect in the Spring of 2018. As you might have guessed, CCPA is specific to California. It protects residents of the state. However, since virtually everyone in the U.S. and the World does business with California, everyone's business will need to comply with CCPA. Businesses that do not comply with CCPA can be sued $750 per incident by individuals. CCPA doesn’t go live until 2020.
Since virtually everyone in the U.S. and the World does business with California, everyone's business will need to comply with CCPA.
Some considerations for businesses are to ensure that not only is your business compliant but also any vendors and partners. For businesses that store personal data on their servers, the task of compliance will be far more involved. Hiring a consultant is certainly worth contemplating.
As CCPA pertains only to California residents, creating a system just for CCPA and another for everyone else is an option, although an expensive one. More states have privacy acts in the works. Going down the road of creating a system for each state is impractical. It is likely that most privacy regulations will have a common ground, as is the case with CCPA and GDPR. This common ground will help to ease the technological and costs burdens on businesses.
California is the first U.S. state to implement a privacy act. However, other states are taking steps and following California’s lead, including Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico.
General Data Protection Regulation (GDPR)
GDPR was the first major privacy legislation implemented for any nation or region. GDPR is the European Union’s consumer privacy legislation. It allows EU members more control over their data. Businesses must inform EU members of any list those members are subscribed to and how their data is or will be used. Businesses must ensure that user data is used, as stated on the business’ website.
GDPR fines for non-compliance can total 4% of a business’ annual turnover. Cambridge Analytica was fined €500,000, but only because GDPR was implemented after the Facebook-Analytica data scandal occurred. Google was not so lucky. It was sued €50 million by a French firm for not being transparent about how advertising data was being used. That case became the first major GDPR fine for 2019.
GDPR and now CCPA have shown other countries that privacy legislation isn’t just a gimmick. Japan, Brazil, South Korea, and India all have privacy legislation in the works.
Differences Between GDPR and CCPA
CCPA took a few cues from GDPR. But there are some differences between the two. CCPA is more detailed about the use of PII (personal identifiable information), especially when it comes to biometrics.
With CCPA, basically, anything that touches consumer data must be disclosed to consumers.
CCPA also forces companies to open up their internal infrastructure more than GDPR. This part of most companies has always been private.
Developing A Privacy Program
Such functionality requires a technical implementation that can automatically remove consumer data from your servers and third-party servers. If you don’t have the expertise to put together this type of system, a consultant can help with developing a roadmap and implementation.
Build Customer/Consumer Trust