Posted on June 8, 2021.

Consumer data is one of the best ways for enterprises in virtually any industry to understand their customer profiles, reach new audiences, and drive revenue. This data also plays an integral role in target marketing and helps companies carefully craft and enhance the user experience. However, using this kind of data to specifically target consumers has quickly become an issue for many, with countless organizations looking to take back ownership of their data.

Understandably, consumers are alarmed at the prospect of enterprises collecting and storing their data, with 81% of American consumers believing the risk of such data collection outweighs the personal benefit. The result of this growing concern is an increased focus on legislation aimed at protecting consumer data and privacy. 

GDPR, CCPA & Other Data Privacy Laws 

Data Privacy’s Effect on Enterprises

The most significant impact on enterprises comes in the form of investment required to be compliant. Starting at roughly $100,000 and upwards from there, the cost of implementing systems that ensure compliance with the many data privacy laws can make it difficult, if not impossible for small businesses to comply with such regulations fully. However, failure to have compliant systems in place results in hefty fines (some reaching tens of millions of dollars). While large enterprises have more extensive budgets and access to experienced legal and security teams to ensure compliance, small businesses are disproportionately affected by compliance regulations.  

Then there is the “simpler” issue of transparency and openness about what data is being targeted, stored, and used. Consumers are demanding this transparency from enterprises they support or that collect their data, which is spawning new regulations. In addition to the fines, enterprises that fail to provide consumers with the level of openness they expect can adversely affect their brand image and deteriorate consumer trust. In fact, half of Americans have recently decided to forego purchasing a product or service because of data privacy concerns.  

Data Privacy Laws

Adding to all of these challenges, data privacy is tackled differently throughout the world. Most notably, the EU’s recent implementation of the sweeping data privacy legislation for all residents, known as the GDPR. 

However, the US lacks a federal data privacy law. While there’s been a push for a federal law, the issue of data privacy is currently being tackled at the state level, using a patchwork of local laws. California and New York have been at the forefront of passing data privacy legislation, and more than 28 other states considered passing similar legislation in 2020.

To help you understand more about data privacy laws, and how they can affect your enterprise, we’re offering a summary of six of more common ones below:

General Data Protection Regulation (GDPR)

Every business must comply with the GDPR if they do business in or with the EU, regardless of where the company is located. This single set of data protection laws are universally applicable. It covers all forms of communication, both traditional and electronic. Because electronic communication is also affected, GDPR has had a significant impact on IT data processes, including data classification, encryption, security, and portability.  

GDPR is mandatory, and failure to comply comes with severe fines that can go up to 10 million euros or 2% of worldwide revenue, whichever is higher. This shows just how seriously the EU is taking the issue of protecting consumer data. GDPR protects what information is stored and what organizations and enterprises can do with the data, giving consumers the right to object and correct collected data. It also gives consumers the right to be forgotten. 

For companies to collect consumer data, they must get consumer consent first. Even with consent, they may only collect data related to well-defined business objectives. Data that is collected cannot be used for any other purpose other than its related objective. Should there be a personal data breach, a response is required within 72 hours and access to requests within 30 days. 

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS law protects credit card information, dictating how such data is processed, stored, and transmitted. This law stands out as it is not mandatory. However, there is a strong court precedent to ensure compliance. 

If you have a system dealing with credit card information, PCI DSS requires your system to have a firewall installed, robust password protections, encryption, access credentials, access logs, periodic testing for vulnerabilities, and to ensure that physical access to the server is locked securely.

An independent body created by American Express, Discover, JCB, MasterCard, and Visa, known as the PCI Security Standards Council, oversees PCI DSS compliance. This body functions independently and serves to protect both merchants and customers. 

This privacy law just makes good business sense. Non-compliance puts businesses at risk of malicious attacks and data theft. More directly, the organization would jeopardize their brand image, experience an interruption in sales, be susceptible to privacy-related lawsuits with fines as high as $100,000 each month, as well as higher transaction fees.

Children’s Online Privacy Protection Act (COPPA)

COPPA aims to protect the data of children under 13. This regulation works by placing the guardian or the parent in charge of the information collected on a website. Any company that wants to collect data on users under 13 must first get parental consent. 

Enterprises that deal with children’s products and content deal with COPPA frequently. The FTC has guidelines to determine what content is considered children’s content. The deciding factors for children’s content include the subject matter, visual content, use of animated characters, age of actors, language used, etc.

Since its implementation, COPPA has forced YouTube to drastically change its operating model regarding children’s content after being fined $170 million for violations. As per their new operating procedures, videos for kids do not come with notifications, have closed comments, no advertisements, or any kind of info card or a community tab.

Each COPPA violation can go up to $43,280 in fines.

California Consumer Privacy Act (CCPA)

CCPA protects the collected personal information of California residents. Just as with the GDPR, any company that wants to do business in California or with people residing in the state must comply. 

Essentially, CCPA requires enterprises to always inform consumers when and how data is collected. Additionally, individuals must have the ability to access, correct, and delete all information collected on them. CCPA also requires them to disclose information on their data collection in an easy to find Privacy Policy. This Privacy Policy must be accessible from the site where data is collected. 

New York SHIELD Act

The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act is the counterpart to the law in California. It enforces the privacy behavior of all enterprises and organizations, regardless of size, that hold New York State residents’ data. 

The SHIELD Act has two main parts. The first part requires all data breaches be reported and disclosed to New York regulators. The second part mandates that safeguards be put in place to improve security, protecting the confidentiality and integrity of data collected. However, it does not dictate what specific safeguards a company needs to put in place. Examples include better employee training, updating organizational security programs, risk assessment of the network, periodic system testing, improving data storage, or the disposal of data when it is not of any more use.

Each violation can be punished by up to $5000 in civil penalties.

The Health Insurance Portability and Accountability Act (HIPAA)

Privacy in healthcare is critical to protecting patients’ rights, but as healthcare goes “virtual,” data privacy and storage is critical. The HIPAA Privacy Rule focuses explicitly on patients’ data privacy, protecting their medical records and other personal health information.  

The HIPAA Privacy Rule applies to health and insurance plans and healthcare providers that conduct care transactions electronically or store patient information and data online. It sets limits and conditions on when somebody can use patient data and personal health information without the patient’s consent. Additionally, it protects a patient’s right to examine and obtain a copy of the health record and request corrections. 

Like other privacy laws, non-compliance has severe repercussions and can even be considered negligence. Individual violations carry a fine between $100 and $50,000. But, there is also a maximum penalty of $1.5 million per calendar year for violations. It’s more than just fines to consider. Some of these violations could even result in jail time for the individuals responsible for the violation.

App Tracking Transparency: the Apple iOS 14.5 Update 

While not technically a law, or an act that’s punishable with a fine, the Apple iOS 14.5 update does have major implications as it relates to privacy. Prior to the update, users had the option to opt out of data collection. The iOS 14.5 update does just the opposite – instead of opting out, users now have to opt in and consent to data collection by non-Apple apps. 

Facebook has taken umbrage with the policy, stating that the policy is “an anti-competitive strategy disguised as a privacy-protecting measure.” Facebook is now facing criticism over a Facebook-funded study that claims the update is self-serving, hurts users who benefit from targeted ads, and small businesses that rely on personalized Facebook and Instagram ads to grow. 

Compliance & Support for Data Privacy

Data privacy legislation will continue to evolve and expand. Gradually, more effective laws shall take shape as consumer concern grows. While this is beneficial for the consumer, more robust compliance regulations mean increased expenses for enterprises as they adjust to stay compliant with evolving data privacy laws. 

Making every effort to protect consumer data is critical, not merely for the sake of compliance or regulation, but to foster customer trust and protect its brand image. The expert team at Sanity Solutions can help you stay in compliance with a variety of data solutions. Our Sanity Capital program also gives you a flexible financing model to fit your enterprise’s needs to help you protect consumer data and avoid the repercussions of non-compliance. Contact Sanity Solutions today to get your compliance standards where they need to be.