For several years leading up to the GDPR May 2018 affective day, the information management industry was in a tizzy about preparation, risks, ramifications and impacts. This wide-sweeping protection act hogged the spotlight and attention, but those with a keen eye were paying attention to the ongoing and increasing trend towards more consumer data protection – especially those closer to home with US-based enforcement options.
While looking back to better anticipate privacy law developments, it’s important to note that since the 2003 California data breach notification law, 47 US states, the District of Columbia, Puerto Rico, Guam and the US Virgin Islands have put breach notification laws in place. With that context, consider the wave of state laws and regulation the California Consumer Privacy Act of 2018, passed in June of last year and effective in 2020, will inspire. With many GDPR-like provisions to mandate how consumer data can be collected and used, the California Consumer Privacy Act focuses in on consumer rights, specifically at the point of collection. Other recent state consumer law protections include:
- Vermont became the first state to regulate data brokers, the companies that buy and sell personal information. Brokers in Vermont must disclose the data they collect, allow customers to opt out, adhere to specific security requirements and breach notification rules. Consumers can also pursue legal liability if broker data sold results in discrimination.
- Colorado recently enacted a new law data protection within companies. The law is a broad sweeping mandate on the documentation and implementation processes for appropriate handling of personal identifying information. This information can range from social security numbers to biometric data in an effort to ensure that companies have policies and procedures to handle collected information and the ability to hold appropriate parties accountable should there be a failure or breech.
- New Jersey passed a law on use of consumer retail data
- Washington passed law on the use of biometric data
While there is a trend and action happening at the state level to push consumer data protections, there is an equally hot trend of data protection happening across all three US Federal branches.
- In July 2018, Mark Warner, senior Democratic Senator from Virginia, released a list of policy options for national legislation on data security and privacy with GDPR-like data protection including data portability, right to be forgotten, 72-hour data breach notification, and 1st party consent. Similar to GDPR, personal data must be stored using pseudonymisation or full anonymization.
- Currently pending in the US Senate, the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act gives consumers the right to know what kinds of data companies collect and the ability to opt out. Also it would authorize the FTC to promulgate regulations that enhance consumer control over how data is collected and used.
- Currently pending in US Senate, the Social Media Privacy and Consumer Rights Act of 2018 requires consumers to opt into (vs opt out) of a company’s use of their sensitive data. The bill authorizes enforcement by the Federal Trade Commission (“FTC”), as well as civil enforcement by state attorneys general.
- The US House of Representatives is reviewing the Balancing the Rights of Web Surfers Equally and Responsibly Act as well as the Secure and Protect American’s Data Act
Expanding beyond the US, other countries are adding their momentum to the consumer protection wave. In December of 2018, Canada passed the Personal Information Protection and Electronic Documents Act (PIPEDA) which provides similar privacy protections to those outlined in GDPR and the Australian Competition and Consumer Commission release recommendations aligned to GDPR.
So with a local, federal and global trend towards consumer data privacy, what should organizations do now to avoid being caught flat-footed? Most organizations I’ve spoken to are funding some kind of digital business initiative or digital transformation. Regardless of the umbrella term applied to the initiative at your organization, someone with compliance, governance or security needs to carve out some portion of the funding for that broad initiative to include preparations for proper customer data handling so you have already managed and can easily respond to and track. What customer data is recorded, where that data is stored, how it is secured, who has access to which customer data parts, how long you keep the customer data, how you dispose of the customer data and how you would respond to a breach that allowed for customer data access outside of your stated policy. It is a matter of staying agile and preparing for this wave of state, federal and international laws to take shape. Prepare, stay informed and attentive, don’t sit back on your heels and wait for the written law to take effect. Viewpointe can help you stay on your toes, anticipate appropriate information management and governance measures and avoid being caught flat footed.