A person sharing data on a computer
Property Casualty

Data Privacy Regulations are Evolving; Are You?

Ross Ingersoll
Ross Ingersoll
Executive Risk & Cyber Account Executive, PC

There has been a great debate on how the government should be involved within internet and website regulation. No matter your opinion, the fact is that a significant amount of your data is out there and largely out of your control.

Cambridge Analytica, the defunct information consulting firm that was ridden with scandal, always claimed that Facebook has more than 5,000 data points on each user. 5,000! I can’t come up with unique identifiers about myself close to that number, but it’s no issue for algorithms that companies use every day.

The internet is a deregulated territory where tech and social media companies, in particular, have practiced an anything-goes philosophy.

Data in today’s world has become one of the most valuable commodities, so what’s being done to protect consumers?

Unfortunately, that’s a difficult question to answer as currently the only thing consistent about consumer privacy regulations is, well, inconsistency.

What Do Data Privacy Regulations Look Like in 2020?

As it currently stands, each country and state have their own set of regulations to protect their citizens. The troubling issue companies face is navigating these laws — as it doesn’t matter where you are domiciled as a company, but, rather, where you are conducting business and/or where the individuals of who you are collecting/processing/storing information reside.

Let’s explore where we stand:

European Union General Data Protection Regulation (GDPR)

The GDPR has become the flagship law on data protection and one of few central, federal level privacy regulations. While this is relatively mature (implemented mid 2018s), enforcement, including fines and penalties, is starting to roll in. Maryland-based Marriott International faced a massive GDPR fine of $123 million from UK regulators as result of their mega breach that impacted personal data of EU citizens.

Biometric Information Privacy Act (Illinois specific)

Ever been tagged in a Facebook photo at some point in the past decade at the suggestion of an automated tagging feature powered by facial recognition technology? By failing to get consent prior to harvesting this data, Facebook was in violation of this Biometric Information Privacy Act and settled for a staggering $550 million in a class action lawsuit brought on behalf of Illinois citizens.

California Consumer Privacy Act (CCPA)

The CCPA is the pioneering data privacy regulation in the U.S. that was effective January 1, 2020, with enforcement beginning soon…as in July 1, 2020. This trailblazing law is designed to give California residents control and position them to “own” their information through various guidelines surrounding right to access, right to delete, and right to opt-out of the sale of their data. This was designed similarly to the GDPR and even gives consumers private rights of action.

The regulation applies to any for-profit business that collects resident’s personal information, does business in the state of California, and meets one of these three requirements:

  1. Annual gross revenues in excess of $25,000,000.
  2. Receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis.
  3. Derives 50 percent or more of their annual revenues from selling California residents’ personal information

Violations of the CCPA can result in penalties ranging from $100 – $7,500 per consumer, which has the potential to be significant for a company.

On the Horizon for Data Privacy Regulations

The CCPA is the envy of the nation, and almost every state has taken cue and begun to draft their own privacy laws. New York, North Dakota, and Massachusetts all have laws pending that would put more pressure on businesses and how they handle data.

Iowa legislation has recently pushed a Right to Be Forgotten Act. While this is more targeting search engines, bills like this continue to show state prioritization to empower their citizens to take back control of their information.

During the Industrial Revolution, businesses that were unregulated took advantage of a laissez-faire environment to pollute, pay low wages, and form monopolies. We’re in the middle of going through one of greatest economic and technological transformations in our history where the collection of data is largely critical for businesses but remains unregulated. As history and recent years have shown, data privacy regulation is coming to provide clarity to businesses and protection to consumers.

While it’s virtually impossible to keep track of every new privacy law and regulation that you may be subject to around the world, many share common principles.

There are many great resources available that will help you navigate these choppy waters and Holmes Murphy is here to help! Just reach out to us.

Explore more from Holmes Murphy