Did you know that, historically, the US allowed businesses to collect personal information without consent? Well, the year 2023 is when it all changed. Yes, privacy laws were in place and solidified with a “harms-prevention-based” approach – but they were somewhat vague compared to the strict new European Union’s General Data Protection Regulation (GDPR) inspired laws. The GDPR follows a rights-based approach that allows individuals to effectively own their data. Under that presumption, they have a legal right to control it.
Still, not all of the US is adopting the new GDPR-inspired law. California started (actually, they started in 2018 with the California Consumer Privacy Act), and Colorado, Connecticut, Utah, and Virginia followed. What do the changes mean for data privacy compliance that businesses should follow?
Read on to find out.
What’s Data Privacy Compliance?
Data privacy compliance refers to the practices businesses adopt to ensure they adhere to data protection laws. It encompasses setting up systems that safeguard customer information, obtaining their consent for data use, and strictly following procedures outlined by different global and regional regulations. To do this, companies should have strict data policies that all employees must be aware of to prevent data breaches. According to Statistics, even with stringent data privacy policies in place, 1,802 cases of data breaches were recorded in 2022, affecting over 442 million people due to data leakage.
This is an industry that is constantly evolving in order to keep up with mounting threats against businesses and consumers. There’s an entire glossary of online privacy terms, acts, regulations and acronyms to stay on top of just to stay compliant, and the situation is only going to grow more complex as data brokers and cyber criminals look for new ways to exploit internet users.
Poor data compliance can mean a lot of different things, from a failure to dispose of sensitive data appropriately to poor security measures and a lack of internal training on data privacy.
How are Laws Changing?
The US is confusing. There isn’t one single data law that businesses must follow. Instead, there are multiple federal and state data laws that apply to different states for different types of data, such as consumer data or healthcare data. For this article, we’ll focus on consumer data. It’s far different from the comprehensive GDPR, but that’s now what some states are trying to replicate and imitate.
The California Consumer Privacy Act of 2018 was the first to home in on consumer data and gave consumers more control over their data. Under the California Consumer Privacy Act, businesses must enable users to opt out of their personal information collection practices. This isn’t exactly the same as GDPR, under which businesses must obtain their customers’ consent in order to store and use their data.
However, this year, the California Consumer Privacy Act of 2018 became the California Privacy Rights Act 2023 (CPRA). The new law enforces the following:
- Consumers can opt out of the sales of personal information.
- Consumers can limit the processing of sensitive personal information.
- Implements data minimization and purposes limitation principles.
- Businesses must honour CPRA consumer requests.
- Consumers must receive a privacy notice.
- Establishes a data retention period.
How Can Businesses be Compliant?
For compliance, businesses must understand the general federal laws and the laws that apply to the state – if a business resides in California, Colorado, Connecticut, Utah, or Virginia, those laws have changed. There should be a requirement for all employees to have a complete understanding of the laws and company policies.
A company can comply with data protection and privacy laws, but if there are no company policies in place, there’s a total lack of control over the data. These policies should include everything, from data collection to storage and destruction. For businesses, that should also include regularly updating the privacy policy and reviewing storage and usage processes.
The Implications of Compliance Failure
Two words – financial and reputational. In 2022, the average cost of a data breach was $9.48 million. Once a data breach occurs and the personal information leaks, that leak can lead to financial implications for consumers, and thus, lawsuits can follow.
Reputational implications from massive data breaches can destroy a business. According to statistics, 60% of small businesses that experience a significant data loss find themselves forced to close within six months. Larger businesses have more financial meals to deal with the disruptions, but SMEs don’t fare as well.
Read More Click Here
