GDPR and the new California Consumer Privacy Act of 2018 are just two of what are sure to be many more regulations designed to protect personally identifiable information. There's no doubt that protecting personal data is important, but a growing number of requirements from a growing number of sources could end up compromising our ability to do so.
It’s been more than two years since the Global Data Protection Regulation was ratified in the European Union. Its collective articles outlining rights of EU citizens to control how their personally identifiable information (PII) is processed and shared between entities was unprecedented when they finally went into effect on May 25. All entities controlling (that is, storing) EU citizenry's PII, or processing that data on behalf of controllers, are now bound to certain rules around how the data is put to use, withheld or even retained. EU citizens are also granted the right to have the entirety of their personal data provided securely to them upon request. The regulation is binding not just to EU companies, but to any entity that processes or controls the data of EU citizens.
While this movement toward data governance in the hands of the citizenry was occurring in the European Union, a businessman in California was driving his own initiative toward protections over personal data in the state. Alaistair MacTaggart, a Bay Area real estate mogul, basically self-funded an initiative to collect enough signatures to place an initiative on the November ballot in the state. He got the signatures he needed this past June.
According to California law, such an the initiative can be passed in one of two ways: via vote by the electorate in November or by the state legislature passing a similar bill by a deadline for revoking initiatives from the November ballot.
Fearing the inability to alter voter initiatives, the text of which is rendered permanent when added to the ballot, the state legislature took the course of passing a similar bill. This allows more control by future legislative bodies in tailoring the law in the years to come. The new privacy legislation, known as the California Consumer Privacy Act of 2018, governs how certain businesses are allowed to share and profit from personal data. A “business,” by the definition of the Act, "collect(s) a consumer’s personal information” and does so for more than 50,000 consumers, households, or devices for commercial purposes or any business that collects more than 50% of its gross revenue from selling said data." It’s quite easy for even a small business to hit that 50,000 mark quickly, thus throwing them under the scope of the Act, without ever selling a single account’s data to a third party.
Key provisions of the California Consumer Privacy Act of 2018 include:
- Right of access: consumers have the right to require businesses covered by the Act to state what personal data has been collected.
- Right to know where your personal data was sold: businesses under the Act must disclose to consumers who request, how their data was sold (or disclosed) to third parties, and who those third parties were.
- Right to deletion of personal data: consumers can require applicable businesses delete their personal data.
- Businesses are allowed to offer incentives to consumers in exchange for collection of their personal information.
As a consumer, I applaud such measures. I know that as a consumer it’s necessary for certain personal information to be collected to facilitate a transaction, but I don’t want to have my personal data shared with entities I didn’t authorize. I offer up my personal information to allow for the normal course of business I conduct online.
As a business owner, I have to collect certain personal data to conduct business for my Tech Outbound training events: I need addresses for billing purposes, names of both attendees and their guests for name tags, even shirt sizes since we provide apparel for attendees and their guests alike. I need email addresses and phone numbers so I can contact attendees. I also ask for Twitter handles to further facilitate communication. Collection of personal information is needed to perform day-to-day business.
Finally, as a data professional, I understand how important it is for stewardship and protection of all data--PII or otherwise. But at the same time, the constantly shifting regulations of how we manage that stewardship is costly in terms of time and money for all businesses. Each time a new regulation is enacted that alters the cumulative regulatory guidance of data protection, it takes its toll. Resources need to be allocated to rework any practices that are not as stringent as the most-stringent regulation currently in place. This requires companies to pull resources from initiatives in play or to hire additional resources to address new regulatory-mandated changes to data protection.
Unfortunately, I’m of the impression that the GDPR and the California Consumer Privacy Act of 2018 are just the tip of the iceberg. Unless data privacy laws are implemented at the federal level in the United States, we could easily see 50 different flavors of the California Act. Unlike laws, data has no bounds, and each change could require entities to address (and re-address) their data structures, policies and code. Is this a call for action at the federal level? Probably not just because of the California law. Call me jaded, but I don’t expect to see the federal government begin to address this until we’re already five or 10 states deep in data protection laws.
Considering that we’re a global economy, even federal action won't end the consumer data protection wave. Grab your surfboard--we’re in for some active surf!