A couple of months ago I made a wild statement about the Facebook-Cambridge Analytical incident being the catalyst for stronger privacy regulation around the use of personal data for business purposes. A few people found some merit on this idea – usually the ones from my own generation whose sense of adventure is a bit tempered by the reality of the past.
And then lately, a few new events (think California’s CCPA) are showing that people and governments around the globe are more interested in the protection of personal data. Most importantly, the appropriate use of personal data in a transparent, fair and legal manner.
Privacy legislation, the new trend
It may be the fact that GDPR came into effect in May or that there are news every other day about companies not being responsible with the personal data they are entrusted with. Whatever the case may be, there are a few clear changes that are transforming the landscape:
- In April, Alabama became the last state to enact a data breach notification law in the US.
- In the same month, Canada made mandatory breach notification a requirement under federal regulation (PIPEDA).
- In June, Iowa and Nebraska enacted Information Security laws to protect personal data specifically. And Chicago city council introduced the Personal Data Collection and Protection Ordinance.
- Last but not least, California had a breakthrough win with the introduction of the California Consumer Privacy Act.
All these different laws have one goal in common: to protect the rights of the individuals whose data businesses use. Although in most cases the collection and use of this data is justified. In some other cases – like with Cambridge Analytica – the gross breach of trust is unwarranted and as some regulators around the world believe, completely non-compliant.
California following the lead from Europe
The Privacy Act in California was supposed to be voted on during the mid-term elections in November. But it turns out that the California Assembly decided to expedite it and send it to the California governor for signing on June 28th. The Act will take effect on January 1, 2020.
This piece of legislation has been deemed by many as a great step in the right direction towards personal data protection regulation similar to GDPR, which remains the most comprehensive to date.
Some of the key elements of the Act include:
- Applicability for all businesses that serve California residents. However, businesses need to satisfy one of three requirements: 1) have annual revenues of $25MM or more, 2) manage the personal data of 50,000 individuals or more, or 3) 50% or more of their revenue comes from selling consumers’ personal data.
- Right to know for individuals. This means that any individual in California, upon having their identity verified, may request what categories and elements of personal data the business has collected, the source of collection, the purpose of the collection, and the categories of 3rd parties the business shares the personal data with or sells it to.
- Right to deletion. This allows individuals to request businesses to delete their personal data and businesses with any customers in California, are expected to comply unless there is a strong legal reason not to.
- Privacy notices are expected. They should include the rights the individuals have under the Act, what personal data is being collected and whether they share or sell the personal data to 3rd parties.
- An individual 16 years of age or less is considered a minor. Therefore, their data cannot be sold unless the individual consents (if they are between 13-16) or their parents consent for younger minors.
- For enforcement, the California Attorney General has the power to impose penalties up $7,500 per violation (imagine when a breach has over 1 million individuals affected!).
As we can see, this new law is strong enough to ensure that businesses really start taking seriously the principles of privacy management. It is still not as strict or as large in scope as the GDPR but in my opinion, it is a good first step and one that California should be applauded for.
We need to keep moving
Every year I think this year is going to be the most interesting so far when it comes to the protection of personal data. Every year I keep being surprised at how everyone is willing to work together to ensure we all respect personal data. At the same time, we are moving towards providing better and more personalized products and services to our customers, while always keeping in mind that privacy and personal data protection are a priority in this environment.
If we continue on this path of awareness and willingness to work together, I cannot imagine the possibilities that next year may bring!
Interested to learn more about GDPR and its implications? Read the first in our GDPR blog series here.