In five months, the state of California, which counts itself as the world’s fifth-largest economy by GDP, will implement a comprehensive set of data privacy regulations known as the California Consumer Privacy Act (CCPA). Poised to take effect on Jan. 1, 2020, CCPA follows closely on the heels of the European Union’s sweeping 2018 data privacy law, known as the General Data Protection Regulation (GDPR).
Regardless of whether your responsibilities regularly include managing consumer data, these policies are likely already affecting your organization, its operations, and its bottom line. We aim to provide a clear understanding of the meaning of data privacy as it applies to these policies, to illustrate how GDPR and CCPA differ from one another, and to survey the political and economic landscape to get a better understanding of the future of federal data privacy regulations in the US.
Simply put, data privacy as it pertains to consumer protection is best understood as the “right to be forgotten,” by corporations who would otherwise harness, process, and utilize consumer data for a variety of purposes. In this case, consumer data can be as overt as a name, address, or Social Security number, as dystopian as cellular phone records or location triangulation, or as seemingly inconsequential as a preferred brand of breakfast cereal or frequency of visits to a gas station. In an era in which large enterprises regularly suffer data breaches caused by either corporate negligence or nefarious espionage, the risk of maintaining massive, minimally-protected datasets containing millions of potentially identifiable data points has become untenable.
Recognizing that “…rapid technological developments and globalization have brought new challenges for the protection of personal data” and that efforts hitherto by global corporations to adequately self-police against these challenges had been otherwise ineffective, the European Union elected in 2016 to step in on behalf of its citizens. Their goal, as listed in the policy text, was to ensure that “the protection of natural persons in relation to the processing of personal data [be considered] a fundamental right.”
To meet these goals, GDPR sets forth seven principles:
Corporations who receive consumer data in the course of doing business must adhere to these principles with regards to their standards and methods of not only storing that data but also of utilizing it to further their business. Described within these principles is the requirement for internal and external auditability. Further, it is incumbent upon the corporations to provide consumers with a process to request the erasure of their stored personal data that is straightforward and swift. The penalties for failing to adhere to these requirements are significant and subject violating corporations to significant financial and reputational risk.
Though CCPA and GDPR share a similar purpose and similarly strict penalties for violation, CCPA is significantly more prescriptive than its European counterpart. The Californian policy differs in its scope of application and in its limitations of data collection and sets forth a different set of rules regarding accountability and compliance.
Compared to GDPR, there are certain areas in which CCPA is less stringent. For example, CCPA does not require that corporations have a “legal basis” for collection and use of consumer data. Likewise, under CCPA, the transfer of personal information outside the US is unrestricted, and businesses are not required to appoint a data protection officer, though it is encouraged. Additionally, the right for California residents to access and expunge their own data is limited to information received within the past twelve months.
However, unlike GDPR, CCPA more broadly defines personal information to specifically include household information. Further, CCPA grants individuals the right to permanently opt-out of the collection and use of any personal data and requires that businesses provide consumers with a means of ensuring that a permanent opt-out capability is available both on websites and mobile applications.
The two policies also provide different approaches to the privacy rights of children. While GDPR requires that parents provide consent for the processing of their children’s personal information, CCPA strictly addresses the sale, rather than the processing, of children’s information and requires that businesses first obtain opt-in consent. Children are also classified differently in the context of these policies. In the EU, children are defined as under the age of 16, although member states can lower the age to 13 at their option. In California, parents must provide consent only for kids under 13.
The current state of data privacy regulations at the federal level is comprised of hundreds of laws that are primarily designed to address specific industries, such as healthcare or finance. These regulations are often mirrored or more closely defined at the state level. Likewise, in terms of enforcement, the Federal Trade Commission is empowered to protect consumers against unfair or deceptive practices. These deceptive practices can include a corporation’s failure to adhere to its own published privacy policies or its inability to secure consumers’ personal information, among others.
Since the implementation of GDPR and the passage and pending implementation of CCPA, Congress has renewed its interest in installing an overarching regulation to manage consumer data privacy in the US. As is often the case in Washington, both major parties agree that there is a fundamental need for policy but differ on their ideas for its design. It does appear that there is bipartisan agreement that any policy passed at the federal level would be primarily enforced by the FTC.
Although an all-encompassing data privacy bill has yet to be brought to the floor in Congress, it should be said that Congress has not been entirely unwilling to vote on more directional consumer protection policies. In 2019 alone, Congressional officials in the House and Senate have introduced bills including the Information Transparency and Personal Data Control Act, the Commercial Facial Recognition Privacy Act, the Digital Accountability and Transparency to Advance Privacy Act, the Social Media Privacy Protection and Consumer Rights Act, and the American Data Dissemination Act. Enfolded within these myriad bills are many, though not all, of the requirements found in GDPR and/or CCPA, and all would provide the FTC with the capability to impose and enforce penalties on violators.
In an increasingly digital world, the privacy of personal data is paramount. Now faced with more stringent regulations, businesses will need to ensure that they act with the best interests in mind of not only their stockholders but also their consumers.
Learn more about data privacy regulations and how Fusion can help you to navigate them.