Data

The Legal and Regulatory Landscape For Data Usage and Privacy

Facebook and Equifax Privacy Failures Put Businesses and Consumers On Notice

In The Beginning

In 2018, the European Union’s (EU) General Data Protection Regulation GDPR  laid the cornerstone for all other jurisdictions to build similar legal and regulatory data usage and privacy frameworks. GDPR’s global scope set a new level of usage obligations and privacy expectations for many companies. For example, GDPR applies to all online transactions with EU citizens no matter the location of the transaction. In essence, GDPR attaches legal ownership of individuals personal data to that individual. It does not attach to the data controller, as in the United States (US), where individuals’ personal data is monetized by companies. That is why in response, U.S. companies and not-for-profits updated their website “cookie” and “privacy” polices and took steps to anonymize IP addresses to reduce data aggregation. This distinctly different legal perspective and approach. Taken by many US companies whose business models include the use and sale of personal data is now coming into focus between consumer demands and regulatory enforcement.

Legal enactments and judicial decisions are impacting how businesses handle and manage personal data.

In January 2019, the French Data Protection Authority (CNIL) imposed a 50 million Euro penalty against Google and in July 2020, the EU’s Highest Court invalidated a self-certifying framework between U.S. companies and EU nations and members due to GDPR violations. Affecting thousands of U.S companies. For a more in-depth discussion  see my blog post,  EU Court Strikes Down Privacy Shield Network

GDPR’s global momentum towards tighter data privacy laws appears to be like an unstoppable wave.  In January 2020, the California Consumer Privacy Act CCPA  went into effect. Changing how citizens’s personal data is collected and managed by businesses of a certain size.  Most notably, CCPA allows for private litigation, based on data use practices, such as, Zoominfo CCPA Lawsuit  One of the major principles of GDPR and CCPA is the consumer (citizen) now determines how companies of a certain size collect, use and share their data.  This is much more innovative and revolutionary than most data breach notification laws that almost all states have enacted.  Thus, we can expect to see similar CCPA-type data protection and privacy laws being enacted across the U.S and elsewhere. For example, Brazil, Canada, Florida, New York and Washington.

Form integrated teams composed of Chief Data, Executive and Legal Officers. 

Due to overwhelming importance of these issues and the rapid pace of enforcement. It is vital to stay abreast of regulations and consumer demands. As with any significant regulatory change, planning and preparation are critical. In other words, CISOs and Risk Management officials are no longer adequate or wholly responsible for data management, privacy protection and legal compliance. Businesses should form integrated teams to create workflows to verify and determine data access and use rights internally and a process to externally address consumer requests.

Demonstrate CCPA compliance by:

  • Designate a Data Protection Team responsible for ensuring the organization and all third party service providers comply with data protection and privacy laws.
  • Publish online privacy notices and consent forms. To cover business practices, data uses and IP right usage.
  • Train all employees and service providers who have access and manage or otherwise process personal data on best practices for protecting personal data and privacy. In addition, require appropriate documentation, such as, AICPA SOC2 Privacy Certifications to demonstrate their workflows have been audited and verified for compliance.
  • Invest more in data security and update existing privacy policies to address how personal data is to be managed and protected.  Begin by identifying resources required, such as, software, training and vendors to deploy complaint workflows. Then classify compliant data types (names, addresses, social security, drivers’ license passport numbers, biometrics, geolocation and employment) under CCPA or other laws.
  • Innovate.  Work with application and web-based users and testers to review existing and develop new functionality. Apple offers Sign in with Apple feature to replace your email address with a proxy one generated by Apple. Allowing consumers to more easily connect and disconnect without sharing personal data with app and website developers.

 

What Do You Think?

Author Disclosure

I am a practicing attorney and  the author of this article and it expresses my own opinions. I have no vested interest in any of the products, firms or institutions mentioned in this post. Nor does the Analyst Syndicate. This is not a sponsored post.

 

 

Disclosure

The views and opinions in this analysis are my own and do not represent positions or opinions of The Analyst Syndicate. Read more on the Disclosure Policy.