Privacy laws are being implemented around the world as most of us in the United States watch from our desks. At first the impacts were minimal, then Google was hit with a $57 million fine for lack of compliance to European Union’s General Data Protection Regulation (GDPR). This set the precedent that the privacy laws were going to be enforced and that International companies need to prepare. However, many companies without a global footprint, haven’t paid much attention to the International privacy and security policies, but if you pay attention to the market trends, every organization should.
To date, the United States federal government has not enacted privacy laws, so states are taking it upon themselves to lead the initiative. Each state is proposing varying levels of privacy legislation which all have some similarities to the EU’s GDPR regulations.
California is at the forefront passing the Consumer Privacy Act in 2018, scheduled to take effect on January 1, 2020. This law includes provisions that businesses interacting with California residents will need to be prepared to manage.
The privacy law explained
The Act gives consumers (defined as California residents) four rights related to their personal information:
- the right to know what personal information a business has collected, its source, how it’s used, whether it’s disclosed or sold, and whom it’s being disclosed or sold to,
- the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold),
- the right to have a business delete their personal information, with exceptions, and
- the right to receive equal service and pricing from a business, even if the consumer exercises their privacy rights under the Act.
This privacy law protects California-based “consumers,” therefore companies based outside the state or the U.S., are subject to the regulations, if they interact with California residents. To comply, organizations may incur compliance costs to update their policies, procedures, and web sites.
Other state privacy bills
California has a legacy of paving the path for policy changes across the U.S., and privacy laws are no different. The International Association of Privacy Professionals (IAPP) Westin Research Center compiled a list of the proposed state privacy bills, comparing the pending laws. (As of the date of this blog, 17 state bills are pending.)
While many of the state privacy bills will not become law as written, some provisions in each state help us understand how privacy laws are developing, and whether federal law will eventually supersede state laws. The IAPP indicated that bills that do not become law may still define what states are considering about privacy.
Common privacy provisions
According to the IAPP, there are common privacy provisions that have appeared in many proposed state bills.
- The right of access – The right of access to personal information collected, including the consumer’s right to access from a business collecting or categories of information collected about the consumer. This right may only exist if the business sells information to a third-party. The consumer can ask that incorrect or outdated personal information be corrected but not deleted.
- The right to delete – The right for the consumer to ask that personal information about them be deleted under certain conditions.
- The right to restrict processing – The right for a consumer to restrict a business’ ability to process personal information about the consumer.
- The right to portability – The consumer has a right to ask that personal information about the consumer be disclosed in a common file format.
- The right against automated decision-making – This prohibits businesses from making decisions about a consumer based solely on an automated process without human input.
- The private right of action – The right for a consumer to seek civil damages from a business for violations of a statute.
- The right to opt-in – A restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information.
- Notice required – An obligation placed on a business to give notice to consumers about certain data practices, privacy operations, and/or privacy programs.
- Data breach notifications – Businesses must notify consumers and/or enforcement authorities about a privacy or security breach.
- Mandated risk assessment— Businesses must conduct risk assessments of privacy and/or security projects or procedures.
- Prohibit discrimination for consumer exercising right— A business can’t treat a consumer who exercises a right differently than one who does not exercise a right.
- A purpose limitation— A GDPR–style restrictive structure that prohibits the collection of personal information except for a specific purpose.
- A processing limitation— A GDPR-style restrictive structure that prohibits the processing of personal information except for a specific purpose.
Gaining a perspective
The U.S has a patchwork of state privacy laws and has paid over $3.86 million for data breaches, according to an IBM Security survey, 2018 Cost of a Data Breach Study: Global Overview.
To understand your organization’s preparation for such legislation, every company needs to catalog their data to determine where it is stored, what is necessary to protect its data assets, and help them identify the sensitivity level of their data (is it Personally identifiable information (PII), or credit card information).
Once you have cataloged the data, the organization’s risk exposure is determined. Several tools are available to help an organization address its risks. Vendors like our partner, Informatica, offer a suite of enterprise tools to ensure data privacy and protection across the enterprise.
These tools include:
- Test data management
- Enterprise Data Catalog
- Dynamic Data Masking
Wait and see
Organizations say they are waiting to see how the state privacy laws play out, however, much like a gambler waiting to force their hand, it may be too late to correct a high-risk issue.
Tools built to handle the strictest of global privacy laws, will handle whatever the states impose. It has been proven time and again that it’s much more expensive to react after a data breach, than in taking proactive steps now. According to the IBM Security study, on average, it takes organizations 197 days to identify a data breach, and another 69 days to contain and respond to the breach.
When asked the reason why they are waiting, a common thread is, if they are not currently affected then they don’t have to think about it yet. They want to see what unfolds with the state laws. However, it is clear where the laws are heading. A proactive approach to dealing with the risk and initiating policies sooner will save a fire drill response later.
Privacy laws aren’t going away. Will you be prepared?