The Spread of Privacy Legislation

Businesses can no longer ignore the ethical and technical requirements of consumer privacy. With new privacy legislation and acts coming out of U.S. states and countries, non-compliance is a recipe for stiff fines and public vilification.

Michael DeWitt
Jul 8, 2024
3 min read

Companies shouldn't have to be forced into privacy compliance. They should want to opt in on their own accord. Complying is a matter of integrity, and it shows ethical responsibility.

This article will examine the spread of privacy legislation and how businesses can adapt to increasing privacy requirements.

California Consumer Privacy Act (CCPA)

The CCPA is similar to the EU's GDPR, which took effect in the Spring of 2018. As you might have guessed, the CCPA is specific to California. It protects residents of the state. However, since virtually everyone in the U.S. and the World does business with California, everyone's business will need to comply with the CCPA. Businesses that do not comply with the CCPA can be sued by individuals for $750 per incident. The CCPA doesn't go live until 2020.

Since virtually everyone in the U.S. and the World does business with California, everyone's company must comply with CCPA.

Some considerations for businesses are to ensure that not only their business but also any vendors and partners are compliant. Compliance will be far more involved for companies that store personal data on their servers. Hiring a consultant is certainly worth contemplating.

As CCPA pertains only to California residents, creating a system just for CCPA and another for everyone else is an expensive option. More states have privacy acts in the works, so creating a system for each state is impractical. It is likely that most privacy regulations will have a common ground, as is the case with CCPA and GDPR. This common ground will help to ease the technological and cost burdens on businesses.

California is the first U.S. state to implement a privacy act. However, other states follow California's lead, including Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico.

General Data Protection Regulation (GDPR)

GDPR was the first significant privacy legislation implemented for any nation or region. GDPR is the European Union's consumer privacy legislation. It allows EU members more control over their data. Businesses must inform EU members of any list to which those members are subscribed and how their data will be used. Companies must ensure user data is used, as the business website states.

GDPR fines for non-compliance can total 4% of a business's annual turnover. Cambridge Analytica was fined €500,000, but only because GDPR was implemented after the Facebook-Analytica data scandal occurred. Google was not so lucky. A French firm sued €50 million for not being transparent about how advertising data was being used. That case became the first major GDPR fine for 2019.

GDPR and CCPA have shown other countries that privacy legislation isn't just a gimmick. Japan, Brazil, South Korea, and India all have privacy legislation in the works.

Differences Between GDPR and CCPA

CCPA took a few cues from GDPR. However, there are some differences between the two. CCPA is more detailed about the use of PII (personally identifiable information), especially when it comes to biometrics.

With CCPA, basically, anything that touches consumer data must be disclosed to consumers.

CCPA also forces companies to open up their internal infrastructure more than GDPR. This part of most companies has always been private. 

Developing A Privacy Program

Creating a privacy program is time-consuming and will require the input of executives and managers. Storing data on company servers isn't a bad thing, but it requires more resources to manage than using third parties (e.g., cloud-based services) and can be more of a liability. Third parties that handle any customer data must be identified. Every third party should have a privacy policy that is at least as compliant as the company's privacy policy.

A front-facing privacy policy needs to be created, as well. To be compliant with GDPR and now CCPA, disclosing all parties involved with customer data and how it is handled is a good place to start with any new privacy policy. The current trend in privacy acts and legislation is to be fully transparent about consumer data. This includes disclosing the names of involved third parties, allowing consumers to control the use of their data, and even deleting/opting out (including opting out of any related third parties).

Such functionality requires a technical implementation that automatically removes consumer data from your servers and third-party servers. If you don't have the expertise to assemble this type of system, a consultant can help develop a roadmap and implementation.

Build Customer/Consumer Trust

Adhering to GDPR and CCPA is the minimum required bar for compliance and for building consumer trust. Going further with transparency will continue to build trust. If you keep in mind that consumers want to know everything that is happening to their data, you likely can't go wrong by disclosing that information and consistently disclosing any related changes to your privacy policy.

Subscribe to our Newsletter and stay up to date!

Subscribe to our newsletter for the latest news and work updates straight to your inbox.

Oops! There was an error sending the email, please try again.

Awesome! Now check your inbox and click the link to confirm your subscription.