Privacy Compliance: Gearing Up for 2020
The GDPR-like compliance previously reserved for those who have dealings in Europe is now coming into effect in the United States. California's new privacy regulations kick in with the start of 2020, and similar consumer protection may be adopted on the national level within another couple of years.
Data privacy advocates succeeded in pushing for regulations in the EU in the form of GDPR. On the other side of the Atlantic, individual privacy was not given the same weight as business interests in collecting data, but that is changing now.
Do you know what you’re sharing?
For most people, the answer to that question is no. As the internet has opened up easy access to information, it has also opened up easy access to personal data. The lack of privacy expanded as a result of the introduction of the smartphone due to its location-awareness and the apps that pull in that data in real time. (Read 6 Ways to Keep Apps From Oversharing Your Personal Data.)
Combining what your mobile device picks up about your online searches with your real-world location enables marketers to target you with truly personalized messages. But it also means that you’re being watched, possibly in ways you're unaware of.
That users could end up sharing a lot more information than they realize was a problem that Steve Jobs raised back in 2010. He summed up what it takes to protect data privacy this way at a D8 Conference:
Privacy means people know what they’re signing up for, in plain English, and repeatedly. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data.
Jobs insisted that his company’s own iOS operating system upheld that standing, saying that it has rejected many apps that would automatically upload user data to the cloud without full disclosure and permission. To prevent that from happening, he said that should an apps on the iPhone attempt to make use of location data, Apple itself would block its data collection ability unless the user grants permission. (Read INFOGRAPHIC: Sneaky Apps That Are Stealing Your Personal Information.)
The Rise of Regulation to Protect Data Privacy
Despite the decade-long awareness that apps can lead users to unwittingly share personal information, it’s only in the past few years that legislation has come into effect to force businesses to get informed opt-ins from users for data collection.
Europe was at the forefront of this movement and had established the U.S.-EU Safe Harbor Framework in 2000. In 2016, that regulation was considered inadequate; it was supplanted by the General Data Protection Regulation (GDPR) which came into effect in 2018.
The US entered the game later. It began on the state level rather than the national level with the California Consumer Privacy Act, also known as AB 375. It passed into California law on June 28, 2018, but will only take full effect on January 1, 2020.
What falls under the jurisdiction of the law are businesses with annual gross revenue of at least $25 million (USD) that has consumers in California and businesses who derive at least half of their revenue from the sale of consumers’ personal information.
As the California Globe put it, the law allows grants “Californians extended privacy and new rights online, including knowing what personal data is being collected about them, the right to say no to the sale of personal data, the right to see the personal data about them that has been collected, the right to know who the data was sold to, and the right to have a business delete personal information about them that had been collected.”
Should anything be shared without the requisite permission, the company that transferred the data is considered at fault.
The Proposed American GDPR
But even businesses that who don't have direct dealings with California may have to gear up for GDPR style legislation throughout the US. In November 2019, a new bill called the Consumer Online Privacy Rights Act (COPRA) was introduced, and that may have great ramifications for how America does business.
COPRA extends consumer protection beyond AB 375. For one thing, it requires that companies allow people to decide if they wish to opt in to data sharing rather than just allowing them to opt out. For another, it allows gives people the right to sue companies that violate their privacy according to the terms of the law even if they cannot prove they were hurt in any way as a result.
The official summary of the bill itemizes key privacy rights it grants consumers and the benefits that would result from them. The law is intended to be backed by action “new enforcement powers for the Federal Trade.”
Mindful of what may prevent people from speaking up, it also adds protection for: “Whistleblowers from being punished for bringing privacy violations to light.”
The summary declares: “When consumers have the ability to advocate for themselves, they are better protected against abuse.”
The Devil is in the Details of Data Definitions
The full version of the proposed law delineates what personal data consists of and includes specific categories of biometrics, which includes fingerprints, voice prints, iris or retina scans, facial scans or templates, DNA, and—the somewhat surprising—gait.
But it does not extent to height and weight, so long as the “data is not used for the purpose of identifying an individual’s unique biological, physical, or physiological characteristics.”
Another definition it presents is one that attempts to pin down the ambiguities of quantity and quality in referring to a "large data holder."
It defines that term as "a covered entity that, in the most recent calendar year— (a) processed or transferred the covered data of more than five million individuals…or (b) processed or transferred the sensitive covered data of more than 100,000 individuals.”
It does go on to define what falls under “sensitive information,” which extends to 14 categories, including addresses, email addresses, and phone numbers. In other words, any business that is in direct contact with a consumer is likely to have at least some sensitive information.
Obviously, that has far-reaching ramifications for just about any company today, which may result in opposition to the bill.
As COPRA was proposed by Democrats, it will undoubtedly get the full support of that party, though to pass, it will need to also win support from the Republican side. There’s always a possibility that will not happen, and this bill will not pass. But businesses would be wise to reconsider their data collection processes because the rise of concern makes some consumer data protection law in the U.S. inevitable.