By this point, it’s no secret that we think data privacy is pretty darn important. We’ve written numerous blogs about creepy data collection practices and “security” devices that spy on you – and, finally, the rest of the country seems to be agreeing with us. (We feel so validated!)
However, that agreement and validation comes with a catch. Now that everyone is starting to jump on the data privacy bandwagon with us, there are a lot of new laws taking effect, along with increasingly heated debates about privacy legislation at the federal level.
Therefore, since this is a topic that is near and dear to our techie hearts, and since it’s a topic that’s likely to become near and dear to your business’s regulatory requirements in the near future… let’s talk about the latest laws, acts, and federal legislation considerations.
Emerging data privacy laws specifically protect consumers’ personal information (PI), whereas HIPAA, GLBA, and other previously enacted regulatory measures protected personally identifiable information (PII).
Though PII and PI sound pretty much the same (legislative acronyms aren’t that creative, folks), there’s actually a big difference between them:
As you can see, PI is pretty broad. However, since so many companies are collecting data on you and then triangulating that data to create a 3D picture of your preferences, habits, and potential advertising possibilities, we’d argue that this new definition of PI is overdue.
And now that you know what kind of data needs to be protected, you’ll see why each of the emerging data privacy and cybersecurity laws are really, really important.
Last year, we published an article all about the European data privacy standard, GDPR, in which we said that, although the GDPR really only mattered for organizations that conducted business with EU citizens, Americans shouldn’t ignore the GDPR.
We also said that the GDPR was “the first step in what will surely be a long path toward global data regulation”… and here we are, with our own versions of GDPR being enacted here in the States less than 1 year later.
Here are the newest laws that affect American citizens:
The California Consumer Privacy Act (CCPA) took effect January 1, 2020, and it’s a lot like the GDPR, but for California residents.
According to the specific terms of the CCPA, businesses must disclose the categories and specific pieces of PI that they collect, why they collect that PI, and the categories of businesses with whom they share that information.
With the CCPA, consumers can request and delete their personal information from businesses, and they can opt-out of sales of their data, without fear of discrimination from the businesses.
In addition, businesses can’t get around these rules by setting up “pay for privacy” schemes, which are exactly as scammy as they sound: pay for privacy would be like a freemium tier for data privacy, much like those apps and services that offer you a “free” version that bombards you with incessant ads vs. a paid version that gives you an “ad-free experience.” (We hate that.)
As we’ve learned from Facebook and Google, advertising brings in way more revenue than paid services, which means, in effect, that data is more valuable than cash. To account for the value of our personal data, the CCPA also includes a nice bonus stipulation that businesses are allowed to pay each of us for our data. (We kind of like that.)
Lastly, the CCPA allows for consumers to individually sue companies for misuse or release of data, and the fines are steep for disobeying the requirements of the CCPA: it costs $7,500 per intentional violation, $2,500 per unintentional violation, and $750 per affected user in civil damages.
Remember, this bill is already in effect, so if you have customers in California, this is a really big deal for you right now.
Not to be outdone by California, New York has passed its own data privacy and cybersecurity act, the Stop Hacks and Improve Electronic Data Security Handling Act (which they’ve shortened to “SHIELD,” but should technically be something like “SHIEDSH,” which doesn’t have the same ring, so we get it.)
The SHIELD Act applies to New York residents and includes 3 new categories of data security and breach notification requirements:
While this reform isn’t as sweeping as the CCPA, it does create additional data security requirements, and also means that companies doing business with New Yorkers need to pay close attention to what data they’re collecting, so they know if it’s been breached.
By the way, there’s also a section in the SHIELD Act that allows for businesses to subjectively decide if they need to actually notify consumers of breaches or if they don’t feel it was a real breach. In short, it’s a bit confusing and messy right now, and it definitely muddies the compliance landscape for organizations that do business with both California and New York residents.
The SHIELD Act takes effect on March 21, 2020.
In addition to state-by-state policies that are cropping up across the country, you should also do your best to keep up with the increasing debate on the federal level.
Our very own Senator Maria Cantwell (D-Wash) is playing a huge part in the federal legislative battle – in fact, right around Thanksgiving, she drafted the first federal bill and finally sparked a serious national debate around what data privacy should mean to Americans. (Thank you, Senator Cantwell!)
(Of course, we shouldn’t be surprised that one of our own kicked off the national debate about data privacy and true personal cybersecurity; we’ve had personal information protections in place for a while here in Washington.)
Cantwell’s bill, called COPRA (Consumer Online Privacy Rights Act), sounds a lot like the CCPA, but it applies to every consumer in every state.
According to COPRA, every American should have the right to view, correct, and delete their data, as well as opt out of sales of their data, and companies should have to obtain special permissions to collect sensitive data, like biometrics or a password.
The bill would allow for the establishment of a Data Privacy Bureau as part of the FTC, and would create a data security fund in the national Treasury, which kind of awes us because it shows what a massive scale federal laws have, in comparison with state laws. (However, COPRA does allow for states to create their own laws around data privacy and personal cybersecurity requirements, which is an important distinction, as you’ll see in a moment.)
COPRA states that individual consumers can sue businesses at the federal level for misusing their data, and it also calls for audits that screen for bias in algorithms, especially in regard to financial discrimination or housing. (Data misuse can be very scary stuff.) People criticize COPRA, however, because it only partially prohibits “pay for privacy” schemes.
As one last, additional important provision in the COPRA bill, it states that companies can be fined for first-time privacy offenses, which is a big deal because, as it turns out, the FTC wasn’t able to slap a fine on Equifax for their disastrous breach in 2017 because it was a first-time offense. Ouch.
As we said, Sen. Cantwell’s COPRA bill kicked off national debate, and the biggest debater thus far is Senator Roger Wicker (R-Miss). In response to COPRA, he swiftly introduced the CDPA (U.S. Consumer Data Privacy Act of 2019).
CDPA, colloquially called “The Wicker Bill,” aligns pretty closely with COPRA (Cantwell’s bill), except in a few important instances:
Canceling out the state laws is a contentious move, because, you know, states prefer autonomy and the California bill is excitingly aggressive. As cybersecurity experts, we can see arguments on both sides because having different data privacy laws in every state makes for an extremely complex data security program for businesses – and it means that the toughest state (probably California) would become the de facto standard across the nation, which really takes the teeth out of federal legislation.
Hopefully, these last 1,500 words have helped clarify the current state of data privacy in the States… but if you’re still a bit confused, you’re certainly not alone.
All you really need to take away from this article is that:
Whether or not the latest state laws affect you, it’s always a good time to take a look at your data privacy and cybersecurity practices and see where you can do better.
Interplay, one of Seattle’s longest-standing Managed Services Providers (MSPs), one of the city’s only true MSPs, and one of the friendliest cybersecurity expert teams in the Seattle area, can help.
With a free network security scan from Interplay, you’ll have the info you need to identify vulnerabilities in your network, so you can seal those gaps and improve data security for your business and your customers, starting immediately.