Several states recently presented and passed data privacy legislation introducing individual consumer rights as well as data breach notification rules which in some ways reflect the protections afforded by Europe’s General Data Protection Regulation (GDPR). Like their European counterparts, U.S states such as California, Hawaii, and Washington have passed or proposed laws that are designed to provide customers with greater transparency and control over their personal data.
California’s Consumer Protection Act (CCPA) even goes beyond breach notification and may require organizations to make significant changes in their data processing operations including honoring opt-outs of selling data and notification requirements surrounding sharing practices. However, to recognize what this new consumer awareness and movement towards data privacy and protection laws mean for companies and consumers alike, it helps to have a strong understanding of what the GDPR laws entail.
The General Data Protection Regulation is considered the gold standard in regard to consumer data rights by many and is essentially a set of rules designed to give European citizens control over their personal data. It aims to reduce the confusion surrounding the regulatory environment for business, so both citizens and corporations can fully benefit from the digital economy. These reforms are designed to reflect our technological age, and provides legal obligations around personal data, privacy and consent management. This means that any organization that has in-scope personal information about a customer such as their name, birthdate, credit card or social security number has to be compliant with these laws regarding how they collect, store and approach their obligation to keep that information safe.
California is the first of the 50 states to implement a similar privacy regulation, with the passing of the CCPA. Organizations have until January 1, 2020 to prepare, and enforcement actions will begin in July of 2020. Several states have proposed similar legislation following the announcement of California’s CCPA law.
Hawaii and Washington recently proposed bills that are closed modeled after the CCPA and GDPR. Hawaii has notice or transparency requirements that organizations must make to consumers and sets a broad definition of personal data. However, no breach requirements are included. Washington politicians proposed a bill which provides several notice requirements, consumer rights, and is targeted at organizations within Washington state but also those organizations targeting Washington residents to offer goods and services.
As increased awareness, interest, and concern around consumer data privacy continues to rise across the nation, there’s no doubt that we will see more and more privacy laws, especially as legislation at the state level is implemented. As new state laws become enforceable in 2020, it is vital that organizations realize how seriously consumers are beginning to be about their data privacy rights and how vital it is that organizations make the necessary adjustments to not only comply with these regulations, but also protect their brand reputation by honoring their consumers demands to protect their information. As more and more individual states adopt these policies, it can be assumed that discussions around privacy will only increase at the federal level as well.
Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint