California follows the EU’s GDPR and takes the privacy lead in the United States.
On May 25 2018, the EU implemented the GDPR to advocate for individuals’ Privacy in regards to the personal data collected by corporations and other legal entities. The GDPR is an evolution of the previous EU Data Protection Act of 1998 and Data Directive of 1995. The primary difference between the Directive and the GDPR is the expansion and enforcement of “Data Subject Rights”. These rights include; the right to access your information, the right to erasure (to be forgotten), the right to restrict processing, the right to notify relevant third-parties, and several other rights in regards data privacy, protection, and integrity.California is following the European Union’s (EU) lead that was set earlier this year with the implementation of the strictest and most penal privacy regulation, the General Data Protection Regulation (GDPR). In June of this year California’s Governor signed into law, the California Consumer Privacy Act (CCPA), which specifically aims to strengthen Consumers’ Privacy Rights. The CCPA’s “Consumer Rights” includes the following; the right to information (what is collected, the sources, and purpose), the right to know if personal information is sold or disclosed, the right to say “no” to the sale of personal information, the right to access your personal information, and the right to equal service and price, even if you choose to exercise privacy rights. The CCPA implementation date is January 1, 2020.
The GDPR requires firms that handle the personal information of EU individuals to implement new policies and procedures and technical controls. There are also requirements for firms to improve data visibility and to identify and document the full lifecycle of the data. The regulation also has strict reporting requirements in regards to the breach of personal information. Firms failing to comply with the GDPR can face fines of $20m (£17m), or 4% of the firms’ annual revenue turnover. The CCPA will require similar efforts and firms must develop a Privacy platform to manage the additional business risk acquired with these regulations.
Several months before the GDPR went into effect, Privacy concerns gained heightened awareness when Facebook announced the breach of personal information in regards to their relationship with EU based data analytics firm, Cambridge Analytica. The incident resulted in Facebook being fined £500,000 (the maximum allowable amount) by the Information Commissioners Office (ICO) for violations of the EU Data Protection Act of 1998. Facebook failed to safeguard the users’ personal information, and failed to disclose how the personal information was harvested and used by a third-party. Had the violation occurred post May 25, 2018, Facebook could have faced up to $1.9bn (£1.4bn) in fines.
Within weeks after the Facebook Cambridge Analytic news, Mark Zuckerberg found himself testifying in front of Congress to provide details on the incident. After hours of grueling inquires by Congress the tone turned from an inquisition of Zuckerberg to a plea for his help to develop new Privacy legislation for the United States. In recent months, the US Commerce Department has been meeting with Facebook and other tech leaders including Google, AT&T, and Comcast to help devise Federal Privacy Policies. Finding the appropriate balance between protecting consumers’ rights, and not being too onerous on corporations will be heavily debated. Facebook’s August 2018 earnings report disclosed an expectation for increased costs and margin reductions over the next couple of years due to increased Privacy regulations and security costs. The news resulted in a $50bn decline in Facebooks market cap in 24hours.
A key driver for business growth the past decade has been the use of analytics on data to produce valuable information. Firms have been seeking out vast amounts of data and accumulating large repositories. These repositories have been considered assets, and for some firms a competitive advantage. The emerging global Privacy regulations now adds additional cost to manage and protect these repositories data, as well as the increased risk and potential liabilities.
This opinion piece was written by Michael Corcione, Managing Director of Cybersecurity and Privacy. Michael has advisory experience in Cybersecurity Business & IT Risk Assessments, Cyber Threats and Incident Response, Regulatory Compliance, and Third Party Due Diligence. Prior to Accume, Michael was a leader at Cordium.