It’s been just about a year since the European Union’s General Data Protection Regulation (GDPR) took effect amidst a flurry of predictions that the global data privacy landscape would dramatically change. So, has it? Well, not quite… yet, anyway.
One of the most threatening changes publicized was the steep fines a company could face if found guilty of breaching the GDPR – up to 4% of a company’s annual global revenue, or up to €20 Million, which is approximately $22.6 million USD. To date, with the exception of the €50 Million fine that France levied against Google in January 2019 for not properly disclosing how data is collected across its services to present personalized advertisements (Google is appealing), most fines have been relatively conservative and nowhere near the millions of dollars that GDPR regulators could impose.
There are an increasing number of GDPR complaints filed that involve invalid consent to process data, as well as a fair number of complaints that address the transparency (or lack thereof) of a business’s data processing activities. Perhaps the biggest increase under the GDPR, though, has been the numbers of personal data breaches reported. According to the International Association of Privacy Professionals, more than 89,000 data breaches were reported to various EU officials since the GDPR took effect. If nothing else, this signals that the regulation is making people take data security incidents much more seriously.
In the United States, meanwhile, the California Consumer Privacy Act (CCPA) – and particularly, its potential amendments – is what U.S. companies should be watching. The CCPA, which takes effect on January 1, 2020, is a bill that enhances privacy rights and consumer protection for California residents, and will apply to any company conducting business in California.
The biggest proposed CCPA amendment, Assembly Bill 25, would exclude employees, job applicants, and contractors (employees) from the definition of “consumer” under the CCPA, so long as their personal information was collected and used by the business only in that context. In other words, businesses with California employees wouldn’t have to provide their employees with any information on CCPA rights, including the rights of disclosure, deletion and opt-out of selling their personal information. This could be especially helpful for companies that have no retail customer base in California. All of the CCPA’s potential amendments are now in the California Senate, which has until mid-September to pass the changes.
Other U.S. states with data privacy legislation in the works are as follows:
- Nevada – Similar to California, Nevada is also considering granting consumers the right to opt out of the sale of their personal information. However, Nevada’s bill is narrower than the CCPA in that it would only give consumers the right to opt out of data sales for monetary consideration.
- New York – New York introduced a bill in May 2019 that mirrors the CCPA in many ways: it has a broad definition of “personal information,” and would require businesses that process personal information of NY residents to provide those individuals with data privacy rights that are as comprehensive as what the CCPA requires.
- Maine – Maine passed legislation last month the prevents broadband internet service providers from using, disclosing, selling, or permitting access to consumer personal information without consumer consent.
- Massachusetts – The Massachusetts State Senate recently proposed a law that would protect any information relating to an identified or identifiable customer. If enacted, like the GDPR and CCPA, it would impose notice requirements relating to the collection and disclosure of personally identifying information.
Though a national law concerning data privacy legislation doesn’t appear to be on the horizon, the increase in state legislative activity through the first half of 2019 is a clear indicator that some type of legislation is inevitable. Along with preparing for the CCPA’s impact, companies should also keep an eye on what other states are doing, so they can determine what types of future requirements they may face.