How much personal data do you collect from customers, and what privacy laws apply to your business? Recent privacy violations have resulted in penalties of thousands or millions of dollars, with Facebook paying a record FTC fine of $5 billion. Every business needs to know its compliance requirements and potential exposure. Yet the current proliferation of privacy laws has made this increasingly expensive and difficult.
The nexus of these laws is the need to protect the ever-increasing amount of data that businesses collect from customers. While certain categories of data are already highly regulated (for example, banking or health records), behavioral data has generally not been. Website searches and visits, individual purchases, political leanings, social media connections, and physical location are combined to create a disturbingly accurate personal profile. How much are individuals paid for this data? Usually, very little or nothing. And yet our personal data has only increased in value.
Even when the European Union’s General Data Protection Regulation (GDPR) became effective in May 2018, significantly increasing privacy requirements and penalties for violations, U.S. businesses were unaffected, unless they collected personal data from European citizens.
This changed when Cambridge Analytica accessed the data of 50 million Facebook users in order to aid Donald Trump’s successful 2016 presidential campaign. This led California to pass the California Consumer Privacy Act of 2018 (CCPA), which took effect on January 1, 2020. Businesses that share enough personally identifiable information (PII) of California residents, and which are large enough, can face crippling penalties for violations. In the first nine months of 2020, class action suits have been filed seeking potentially billions in damages. Defendants include Walmart, Salesforce.com, Zoom, TikTok, and Minted.
Despite these stricter laws, consumers generally have had little choice in how their data is collected and used. States and countries are now leapfrogging each other to introduce more stringent laws. Here is a sample from this month alone:
- On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA), which strengthens the CCPA and adds data processing requirements similar to those in the GDPR. Consumers must be given options to easily opt out of some or all data collection and sharing. Businesses must limit both the collection and use of PII. Perhaps most significantly, businesses must take reasonable security measures to protect PII, with some required to perform an annual cybersecurity audit.
- On November 12, 2020, the European Commission published draft “Standard Contractual Clauses” (SCC) which are model contract clauses addressing the collection and processing of PII inside and outside of the E.U. These follow the “Schrems II” decision this past July by the European Union Court of Justice, which held that the E.U.-U.S. Privacy Shield arrangement provided insufficient privacy protections.
- On November 17, 2020, Canada’s Minister of Innovation, Science and Industry introduced a proposed Consumer Privacy Protection Act (which will inevitably be confused with the CCPA or the CPRA). Maximum fines could be 5% of a company’s global revenues, or $25 million, whichever is greater. One catalyst for the law is to provide privacy protections equivalent to the GDPR.
- Less well known but still very relevant is Nevada’s updated privacy law, known as Section 603A, which became effective on October 1, 2019. Among the requirements: businesses that sell PII are required to disclose the categories of PII collected and the categories of third parties with whom it is shared, and provide methods for consumer review of collected PII.
If you are feeling a swelling sense of unease while reading this article, you have plenty of company. Data brokers and advertisers have incentivized the collection and aggregation of ever-greater amounts of personal data. The pendulum is now swinging back. How do you protect your business? Here are a few suggestions:
- Implement “privacy by design”. As you build your company’s products and services, bake in privacy protections.
- Assign a chief privacy officer, who will be responsible for privacy compliance.
- Tell your customers that you care about their privacy!!! Both in word and deed, let them know that their personal data is not your profit center.
- Contact us to review your current privacy posture and to create a strategy for the future.
Most importantly: know that the world is changing. Privacy is no longer a luxury. You’ll either need to stay ahead of the curve, or you’ll be left behind. In 2014, the Harvard Business Review published the article, “Privacy Is a Business Opportunity”. It was true then, and is even more so today. Welcome to the future.