The Rapid Development of Data Privacy Law
2018 was a big year for consumer data privacy legislation. In that year, the GDPR took effect, California enacted its Consumer Privacy Act (CCPA), and Vermont passed the first law in the country designed to regulate data brokers.
GDPR extended European Union (EU) jurisdiction beyond the EU. It mandated that any business that sells to or has EU customers is subject to GDPR, regardless where the business is based.
EU privacy regulations have generally concerned any entity’s accumulation of large amounts of data. GDPR regulates the processing of personal data and lays out guiding principles that inform the interpretation of how companies treat EU citizens’ personal data, including those living in the U.S. or purchasing U.S. products or services.
The CCPA was enacted became effective on January 1, 2020. It is one of the broadest online privacy laws in the United States, affecting companies across the country that do business with California residents.
CCPA regulates all personal information which means nearly any information a business would collect from a consumer. Neither the method of data collection nor the industry in which the business operates limits the potential application of the CCPA. It applies to any company that collects the personal information of Californians, is for-profit, and satisfies a basic set of thresholds.
Building on 2018’s momentum, more consumer privacy laws came into play in the first half of 2019 than in all of 2018. The states with data security laws has doubled since 2016. At least 25 states now have laws that address data security practices of private sector entities. For example, the New York’s SHIELD Act took effect March 2020. It expands New York’s breach notification requirements and imposes heightened data security requirements to prevent breach.
Most of the new data security laws require businesses that own, license, or maintain personal information about a resident of that state to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Over 120 jurisdictions globally have proposed or passed privacy regulations Billions of dollars in fines have already been issued. Still, 79 percent of companies are failing to comply or struggling to keep up with these new regulations.
Data has been a commodity used and exchanged without control because there was no comprehensive US privacy regime. With CCPA and similar laws pending in other states, companies have to change the way they do business.
Regulators are requiring companies to implement specific measures like privacy by design. While the points embodied in much of the legislation were best practices, they were not necessarily spelled out in most U.S. statutes, as is the clear trend now. The new data privacy legislation comes at a price. Fines can be hefty. Some state laws create a private right of action, making privacy a new source for class actions
These changes mean information privacy is something every company must worry about.