The most significant privacy regulation enacted to date, the EU’s GDPR, still feels “over the horizon” to many US firms. For companies that have delayed privacy initiatives, it’s still easy to “risk rationalize” away the need to comply with GDPR. After all, there have been no penalties inflicted (yet), no precedents set, and the body overseeing the regulation is across the Atlantic. I understand that thought process but it’s important to note that while we don’t yet have negotiated civil enforcement mechanisms for GDPR, there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies.
But all of a sudden, the state of California has enacted AB 375, better known as the California Consumer Privacy Act of 2018 (CCPA), the most extensive consumer privacy legislation in the US. So, unless you plan to walk away from doing business in by far the largest economy of any US state, it’s likely time to stop rationalizing delaying privacy initiatives.
The Future of US Privacy Laws
Remember that California was the first US State to publish a privacy law (SB-1386), that is famous for requiring breach notification, way back in 2003. That lead to every other state (now that Alabama joined the fray) developing their own privacy/breach notification laws. I think it is very likely we will see the same with CCPA. Privacy is no longer an if, it’s a when.
The risk now lies not in acting too fast, but in not acting fast enough. Consumers across all US states are increasingly aware of privacy concerns (for example, about 80% of Californians approved of a proposed ballot initiative that gave rise to the CCPA), and businesses that align with that trend now will likely gain a competitive edge.
Further, for companies that are already moving to align with the GDPR, those efforts will likely get you 90-100% of the way to compliance with the CCPA when it goes fully into effect in 2020. Conversely, firms that have delayed moving toward GDPR compliance should start (now) to avoid significant pain in the future.
Ironically, research shows that some of the organizations most dependent on the collection, analysis and sale of personal data (e.g., the media and retail verticals) are still among the least capable of dealing with the groundswell of new privacy legislation.
Why are firms slow to read “the writing on the wall” as regards privacy? Some reasons include:
- The lack of a coherent approach to risk management—that is, they just don’t know where to start
- A lack of Privacy expertise
- A growing integration of what was two discrete disciplines; information security & privacy
- A mistaken belief that privacy legislation won’t apply to the
Any company that collects or sells Californians’ personal data is subject to the CCPA if it meets any of these criteria:
- Earns $25 million or more per year
- Sells 50,000+ consumer records annually
- Derives 50% or more of its annual income from selling personal data
Businesses that fit that description need to move to analyze how they collect and use personal data, including what categories of data they collect, how they use it and who they sell it to. This will help avoid potential regulatory sanctions, respond in a timelier way to consumer demand, and reduce the likelihood of market share, revenue and customer loss.
To start a conversation on structuring a forward-looking data privacy initiative, including how best to assess your current data privacy controls, contact Pivot Point Security.
Read part 1 of this post: What Could CCPA Mean for Your Business?