With the rate at which technology has been advancing, it was perhaps inevitable for the law to lag behind. But with high-profile data breaches and concerns over how companies are safeguarding data, there has been a worldwide call to codify new consumer data protection laws and strengthen existing ones.
The Global Response to Consumer Data Protection
The European Union first answered this call with the implementation of the General Data Protection Regulation (GDPR). In effect since May 2018, GDPR requires companies to identify a lawful basis to maintain the personal data of individuals within the EU. If a lawful basis cannot be identified, the company cannot collect or process that data. If previously collected data no longer needs to be processed, companies are obligated to remove that data. Thus, under GDPR, companies cannot collect data merely for the sake of collecting data.
GDPR also grants individuals the right to control their personal data. Specifically, individuals can request access to, correction of, portability of, or erasure of their data. Businesses must verify the individual making the request is the same individual about whom the data has been processed and must be able to demonstrate that the action requested has been completed. With this interaction between business and individual, businesses are communicating more often and in greater detail about how they handle data.
Other countries are following the EU’s lead with data privacy. Brazil passed a law similar to GDPR that will go into effect in August 2020. Thailand’s Personal Data Protection Act becomes effective in May 2020. Borrowing from GDPR principles, Brazil and Thailand will grant individuals rights over their data and define the bases for lawful data processing.
Several other countries are currently reviewing draft bills, including India and its Personal Data Protection Bill, while others have announced their intention to pass data protection bills similar to GDPR. Following a large data breach of its citizens’ data, Ecuador’s National Assembly is considering a data protection bill with the same safeguards as GDPR. Additional countries have strengthened data breach notification laws or entered into data adequacy agreements with the EU.
What to Expect in the U.S.
The call for stronger data protection laws is growing in the United States. The California Consumer Privacy Act (CCPA), effective January 1, 2020, was the first U.S. consumer data protection law. CCPA, like GDPR, grants rights with respect to data collected by an organization. In addition to the rights of access and erasure, Californian residents are given the opportunity to opt out of the sale of their personal information. For residents aged 13 years and younger, a parent or guardian must authorize the sale of the personal information. Additionally, if an individual exercises their right to opt out of the sale of their personal information, a business cannot discriminate against that individual for exercise of that right. Thus, the sale of a good or service cannot be conditioned upon an agreement with an individual to sell their personal data.
While California has taken the biggest step in passing a consumer data protection law, other states are also moving forward with a similar agenda. Nevada requires websites and online service operators to follow an individual’s instruction to not sell their data. Maine requires internet service providers (ISPs) to obtain affirmative consent from consumers before using their personal information. Washington, New York, Texas, and Massachusetts are just a few of the states that also considered consumer data privacy laws in their last legislative sessions. As states see how California handles its implementation of CCPA, it can be anticipated that more consumer privacy laws will be introduced and passed.
What remains uncertain is if Congress will ultimately pass a federal data privacy law. While congressional representatives, privacy advocates, and the tech industry have all pushed for a federal law, a consensus has not been reached on what the law should look like. While several lawmakers have introduced data privacy bills, none have advanced. If Congress fails to pass a law in the near future, businesses may be forced to comply with a patchwork of state data privacy laws, leading to additional expense and confusion.
The task of responding to a myriad of global data privacy laws can be daunting. However, implementing a strong data privacy and management program instills trust with customers and enhances reputation, as well as minimizes the time needed to comply with any newly enacted consumer data protection law. Ultimate Software recognizes this need and is developing technology to assist our customers’ efforts to take an ethical and compliant approach to data management.
This is part two of a multi-part series on data privacy and compliance. Stay tuned for more insights about how Ultimate is handling this crucial issue and learn how we’re leveraging data to support “People First” AI technology.