Data privacy and protection is not a new initiative. The 1998 Data Protection Act aimed at addressing this very issue as our society quickly embarked on the digital age. Now, more than 20 years later, the conversation has continued with new and revised regulations to protect consumers and businesses. Among these regulations are the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Nevada’s Privacy Law, Washington State’s Privacy Bill, and New York’s Privacy Bill, among others.
In a time when everyone seems to be online and sharing more than ever before, the topic of privacy is rising to the top of legislative agendas. Let’s take a good, fresh look at some of these data privacy regulations and the rising stakes associated with compliance.
Adopted in 2016 and effective in 2018, GDPR replaced an outdated data protection law that simply did not cover the new challenges and threats presented by the current digital environment. This revamped data privacy regulation specifically targets the protection of basic identity information, web data (e.g., location, IP data, cookies, RFID tags), health and genetic data, racial or sexual orientation information, as well as political views.
GDPR is rooted in seven key principles:
Are you required to comply with GDPR if your business is based in the United States? Yes. If your business conducts transactions or otherwise collects personal information from citizens residing in one of the EU member states, you must comply with GDPR. In fact, according to a PwC survey, 92% of U.S. businesses consider GDPR compliance a top priority.
The first, and probably most obvious, the risk for non-compliance with GDPR is the issuance of one or more fines. There are two tiers for administrative fines for non-compliance, which applies to data controllers and processors:
Many companies opt to use a third-party service to manage transactions and data storage in an effort to protect themselves. However, despite using a third-party service, you will ultimately still be responsible for the transactions and data usage within your company, so it’s critical that you choose your partners wisely and monitor all activity to ensure compliance.
Similar to GDPR, CCPA is intended to protect the personal data of California citizens, placing rules and regulations on the types of personal information that can be collected and how that information will be stored and used in the future. Under CCPA, California citizens are granted four distinct rights:
The California State Attorney General will first issue a warning to give your business an opportunity to comply with CCPA within a 30-day window. If you do not comply, your business will then be faced with a civil lawsuit. “Civil penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation.”
In addition to California, there are other U.S. states who have elevated data privacy and protection as a legislative priority, including Washington, New York, and Nevada.
In this digital age, data flows like water. But the more data flows, the more careful we all need to be about what types of data are collected, how they are stored, and how they will be used. State and Federal legislations are on the rise as legal authorities and consumers alike push for data protection and privacy. Is your business compliant?