The expansion of our digital world has far outpaced the regulatory standards for data protection. In fact, the previous version of European data protection acts goes back to 1995. In the U.S., the closest Federal equivalent is the Children’s Online Privacy Protection Act (COPPA), which was adopted in 2000.
Let’s put that in perspective – until recently, the EU was operating off of a baseline of data privacy regulations that dated back to when we were using Internet Explorer 1.0, and Coolio’s Gangsta’s Paradise and Waterfalls by TLC were number one and two on the Billboard’s Top 100. When COPPA was added to the U.S.? We were listening to Breathe by Faith Hill, and Smooth by Santana.
To say that we were overdue for an update to privacy regulations is an understatement. Both the EU and California recognized that, and they each created new laws regarding personal data – the General Data Protection Regulation (GDPR) in Europe, and the California Consumer Privacy Act (CCPA) in the U.S.
If you’re a business in the EU or California, you probably already know that you need to pay attention to these two important pieces of legislation. But what if you aren’t in the EU? What if you’re a company in Philadelphia, or Chicago, or London? Do you need to be compliant?
The answer is, most likely, yes. And the penalties are stiff enough that ignorance isn’t an option. To protect your customers and your business, you need to understand and have an action plan to deal with these two important regulations.
An Overview of GDPR
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union law that was put into place to protect and empower EU citizens. Implemented on May 25, 2018, it requires that companies and organization protect the privacy rights of EU citizens, and gives citizens more control over their personal data. The regulation offers opportunities for individual member states in the EU to enhance the laws further, while also providing thresholds that the member states must adhere to. It also gives the authority to those member states to enforce GDPR with sanctions and stiff fines.
What’s Included in GDPR?
The GDPR itself is a hefty and expansive regulation, but it centers around 7 core principles:
- Lawfulness
- Fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage Limitation
- Integrity and confidentiality
- Accountability
The regulation outlines certain types of data protected, including:
- Identity information, like names, ID numbers, and addresses
- Health information, including genetic data
- Web-based information, like cookies, RFID tags, IP addresses, and location information
- Race / ethnicity
- Biometric data
- Political opinions
- Sexual orientation
What’s truly different about the GDPR is the establishment of penalties for violating the laws. Companies will no longer receive a token slap on the wrist for violations – instead large breaches can face fines up to €20 million – more than $23 million US dollars(as of June 2020) – or four percent of a firm’s global turn over, whichever is greater. Smaller fines can be the greater of two percent of global turn over or €10 million. For instance, Google was fined €50 million by the French data protection regulator in 2019 for violations of GDPR.
Who Needs to Follow GDPR?
Certainly, companies within the EU must comply with GDPR. But even if you’re not located in Europe, there is a high likelihood that these regulations apply to your business. In addition to companies with a physical presence in an EU country, GDPR applies to you if:
- You aren’t in the EU, but you process data for EU residents
- You have more than 250 employees
- You have fewer than 250 employees, but you do data processing that could impact the rights and freedoms of EU residents, your data processing is not occasional, or it contains certain types of personal data
So, if you are a small online retailer, and you sell to someone who lives in an EU country, GDPR applies to you.
What Does Your Business Need to Do?
To remain compliant with GDPR, you should start by reviewing your data storage policies and procedures. You’ll need to ensure that, if requested, you can remove all of a customer’s personal data. You should have someone within your company who is designated to be responsible for this. For larger companies, that person may be or may take on the role of the Data Protection Officer. Smaller businesses may not offer a position with that title but will want to make sure that an appropriate person within the company holds that responsibility.
You also need to ensure that your partners are GDPR compliant. If you work with a third party that has access to personal data, and they are not following the regulations, then you are equally liable for the data you own that the third party manages in some way. So, with our earlier example, if you are a small e-commerce company and your payment processor is not GDPR compliant, then neither are you.
Ready to discuss GDPR or CCPA?
An Overview of CCPA
What is CCPA?
The beginning of 2020 saw the U.S’s most stringent data privacy laws go into effect. The California Consumer Privacy Act (CCPA) was unanimously passed by the California legislature in 2018 and takes a few pages from the GDPR guidebook, including greater control for individuals over their data.
What’s Included in CCPA?
The CCPA allows Californians to demand to see the information a company has saved on them, and ask that it be removed. The company must also produce a list of third parties that the consumer’s information has been shared with. Under the law, individuals can sue a company if the CCPA guidelines are violated, with or without a breach having occurred. Businesses are given 30 days to comply with the law once they are notified of a violation. If the problems are not mitigated in 30 days, companies face fines up to $7,500 per record.
Who Needs to Follow CCPA?
Like the GDPR, the businesses that must adhere to the CCPA goes beyond companies located in California.
- Companies that serve California residents with a minimum of $25 million in annual revenue
- Companies of any size with personal data for more than 50,000 people
- Companies that collect more than half their revenue from the sale of personal data
This includes national and international businesses.
There is an exemption for insurance companies and agents and insurance support organizations. However, this exemption is in place because these industries are already regulated under the California Insurance Information and Privacy Protection Act (IIPPA).
What Does Your Business Need to Do?
Companies who must meet the CCPA requirements should have been in compliance as of January 1, 2020. In truth, however, California residents can request all of the data a company has collected on them for the previous year. That means, to be fully compliant, businesses should have had the proper data tracking systems in place as of the beginning of 2019.
Even if you’ve done nothing to date, that doesn’t mean you should hope to continue flying under the radar. Depending on the level of personal data you hold for customers, the 30-day grace period after notification may not be enough time to mitigate security issues around privacy or your ability to produce the requested collected data from a California resident. Putting together your tracking and processes for data collection and storage should begin immediately if they are not already in place.
Both the GDPR and the CCPA show how governments are beginning to take an interest in – and a hard line with – companies that collect, store, and use consumer data. Putting together a data collection and protection policy and defining a process is crucial for business continuity. Waiting until you’ve been called out for a violation of these regulations will be too late and can cost more than your business can afford.