May 25, 2019, will mark one year since the European Union’s General Data Protection Regulation (GDPR) went into effect and many businesses still feel that it has complicated the digital landscape, especially with the myriad of other data protection regulations impacting organizations across the globe. Adding to this complexity, just after GDPR was enacted two other economic powerhouses – the state of California and Brazil – passed privacy laws similar to GDPR that go into effect in Q1’2020, and the expectation is that there are more regulations on the horizon. This begs the question: what about the world’s leading economy, as well as the target of more security incidents and data breaches – the United States?
We are entering into another wave of state mandates around data privacy that puts the power back into the hands of citizens. The first set of regulations protected data. They required security measures for stored personal data, defined the concept of personal information, and required notification in case of a breach. But it took 15 years, from California’s pioneering law in 2003, until March 2018 when the 50thsuch state law was enacted.
Now, consumers are demanding more control of their personal data.= Will history repeat itself and will there be another 15-year cycle for all states to get on board the data privacy train and pass laws to protect each state’s residents’ personal data? Will consumers be willing to wait that long? Or is it time to enact a unifying national law?
GDPR was designed to provide a new set of rules to give European Union data subjects more control over their personal information and allegedly, to unify the regulatory environment so both citizens and businesses in the EU could benefit from the digital economy. GDPR really upped the ante for data privacy and the impact was felt globally as organizations such as Google have been finedand others fines are looming. According to the European Commission, data protection authorities had collected a total of 95,180 complaints from May 2018 – January 2019 from individuals believing their rights under GDPR had been violated.
Looking back on the history of US data protection regulations, it has basically encompassed federal guidelines and some specific regulations governing finance (Gramm-Leach-Bliley Act) or healthcare (Health Insurance Portability and Accountability Act), but general data protection regulations were left up to the individual states.
In 2003, California enacted the first state-driven breach notification law, specifically designed around protecting computerized personal information. California defined what constitutes personal information, data security measures to prevent breaches such as encryption and mitigating unauthorized access, as well as notification requirements and remedies. Since then states have adopted similar types of laws, each a twist on the original, adding to the complexity for a unified interpretation and adherence. While these laws differ in their specific definitions and notification timelines, the common thread across all the laws defines that in general, a security breach involves unauthorized access to unencrypted or unsecured data. In March of 2018 Alabama became the 50thand final state to enact a data breach notification law.
During the 15-year span for all the states to get on board for data protection, the topic of data privacy has morphed into a larger narrative due to the exponential growth of data and various ways personal data is being used for analytics, and sometimes even sold as a revenue generator for organizations. With this realization of exposure and increasing breaches, consumers are now demanding their personal data be protected and only used in the manner for which it was intended.
Roughly a month after GDPR went into effect, California enacted the California Consumer Privacy Act (CCPA), becoming the first state in the U.S. with a privacy law that gives Californians more control over their personal data. It will be interesting to see how businesses prepare in advance of the CCPA January 1, 2020, deadline as there are some similarities with GDPR but substantial differences in the way several areas are handled. The fight for more consumer privacy is far from slowing down. With tech giants such as Apple recognizing that consumers shouldn’t continue to tolerate companies’ irresponsible handling of data, there will be more pressure to have policies in place to keep companies in check.
This appears to be the vanguard of another wave of state mandates, this time allowing consumers to take more control over the use of their personal data. We can expect many states to follow, eventually resulting in new regulations in each and every state. However, is this an efficient way to protect citizen’s data, and do the states have the power and budget to enforce these regulations in each case? And how do organizations plan to meet the subtle variations across the 50 regulations as they emerge, while simultaneously meeting GDPR and other international mandates?
It’s time for a federal mandate that tackles the issue at a national level and brings a cohesive approach to data privacy for all US citizens, as GDPR did for the people in the EU. This approach could surely remove some of the complexities for both consumers and organizations doing business across the US and in each of the various states.
It is clear that the digital landscape, with its variety of moving parts, has become increasingly complicated. It can be difficult for organizations to focus on their growth when they’re concerned about meeting different compliance requirements. Additional regulatory requirements, increased technologies and more fines make a stronger case for a federal privacy law in the U.S. as we enter the second year of GDPR.
And if you look at the fast growing interest in protecting the use of consumers’ private data, you can bet that citizens are not going to wait, but will demand more urgent protection.