The global proliferation of data privacy laws is expected to continue in 2023, with many countries enacting or expanding their digital consumer protection legislation.
Data privacy legislation has significant ramifications for enterprises operating at a global scale.
Consumer data is, of course, one of the best ways for enterprises in virtually any industry to understand their customer profiles, reach new audiences, and drive revenue. This data also plays an integral role in target marketing and helps companies carefully craft and enhance the user experience.
However, using this kind of data to specifically target consumers has become problematic, as it has resulted in privacy violations and misuse of data.
As a result, distrust among consumers has grown and governments around the world have strengthened their data security laws, providing consumers with greater control over their personal data and more transparency around how it’s used.
Data Privacy Legislation’s Effect on Enterprises
The most significant impact on enterprises comes in the form of investment required to be compliant. Starting at roughly $100,000 and upwards from there, the cost of implementing systems that ensure compliance with the many data privacy laws can make it difficult, if not impossible for small businesses to comply with such regulations fully. However, failure to have compliant systems in place results in hefty fines (some reaching tens of millions of dollars). While large enterprises have more extensive budgets and access to experienced legal and security teams to ensure compliance, small businesses are disproportionately affected by compliance regulations.
Then there is the “simpler” issue of transparency and openness about what data is being targeted, stored, and used. Consumers are demanding this transparency from enterprises they support or that collect their data, which is spawning new regulations. In addition to the fines, enterprises that fail to provide consumers with the level of openness they expect can adversely affect their brand image and deteriorate consumer trust. In fact, half of Americans have recently decided to forego purchasing a product or service because of data privacy concerns.
GDPR, CCPA & Other Data Privacy Laws in 2023
Adding to all of the challenges we mentioned above, data privacy is tackled differently throughout the world. Most notably, in 2018, the EU implemented sweeping data privacy legislation for all residents, known as the General Data Protection Regulation (GDPR).
While the US lacks a federal privacy law, the California Consumer Privacy Act (CCPA) went into effect in 2020 and is similar to GDPR. Most US businesses are required to comply with the CCPA if they serve customers or collect data from California residents, even if they don’t have a physical presence in California.
In addition, many other countries have their own laws related to data privacy and/or consumer protection which can further complicate matters for multinational organizations. For example, Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA), Japan has the Act on the Protection of Personal Information (APPI), Australia has its Privacy Amendment (Notifiable Data Breaches) Act 2017, and there are many more.
To help you understand more about data privacy laws and how they can affect your enterprise, we’re offering a summary of some of the more common ones below:
General Data Protection Regulation (GDPR)
Every business must comply with the GDPR if it does business in or with the EU, regardless of where the company is located. This single set of data protection laws is universally applicable. It covers all forms of communication, both traditional and electronic. Because electronic communication is also affected, the GDPR has had a significant impact on IT data processes, including data classification, encryption, security, and portability.
The GDPR is mandatory, and failure to comply comes with severe fines that can go up to 10 million euros or 2% of worldwide revenue, whichever is higher. This shows just how seriously the EU is taking the issue of protecting consumer data. the GDPR protects what information is stored and what organizations and enterprises can do with the data, giving consumers the right to object and correct collected data. It also gives consumers the right to be forgotten.
For companies to collect consumer data, they must get consumer consent first. Even with consent, they may only collect data related to well-defined business objectives. Data that is collected cannot be used for any other purpose other than its related objective. Should there be a personal data breach, a response is required within 72 hours and access to requests within 30 days.
The GDPR also enforces strict data residency requirements. Data collected from individuals in the EU must be stored on servers that are located within the EU, and the business must notify people if that data is transmitted to a server or computer outside of the EU.
Because of these data residency requirements, recent case law has called into question the legality of popular web services like Google Analytics and Google Fonts. Both of these services transmit user information to the US for processing, which has led data watchdogs in the EU to warn businesses that they might not be legal and that using them could expose those businesses to financial penalties.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
CCPA protects the collected personal information of California residents. Just as with the GDPR, any company that wants to do business in California or with people residing in the state must comply.
Essentially, CCPA requires enterprises to always inform consumers when and how data is collected. Additionally, individuals must have the ability to access, correct, and delete all information collected on them. CCPA also requires them to disclose information on their data collection in an easy to find Privacy Policy. This Privacy Policy must be accessible from the site where data is collected.
The State of California took its first major CCPA enforcement action in August 2022, levying $1.2 million in fines against the personal care brand Sephora. The company was found to have neglected to provide customers with adequate notice of its data collection policies with respect to third-party tracking tools on its website and mobile app.
CPRA will go into effect on January 1, 2023. It expands on CCPA in several ways. It strengthens the data privacy rights of California residents and makes them even harder to ignore or circumvent. It also introduces a new category of personal information, called “sensitive personal information,” which includes health-related information, financial account numbers, biometric identifiers, and more.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is the primary Canadian data privacy law and sets out rules for how businesses must protect personal information collected through commercial activities. It applies to all companies operating in Canada.
Under PIPEDA, businesses must inform individuals of the purpose for collecting their personal information, obtain consent before collecting it and use it only for those purposes. They must also protect all collected data from unauthorized access or disclosure. Businesses must also disclose any data breaches that might endanger an individual’s privacy to affected individuals as soon as possible.
It is possible that Canada will strengthen its privacy legislation in 2023. Bill C-27 was introduced in 2022, and if approved, it will enact three major pieces of legislation: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. These regulations, if approved, will replace and strengthen pieces of the current PIPEDA legislation and bring Canadian privacy laws more in line with those in Europe.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS law protects credit card information, dictating how such data is processed, stored, and transmitted. This law stands out as it is not mandatory. However, there is a strong court precedent to ensure compliance.
If you have a system dealing with credit card information, PCI DSS requires your system to have a firewall installed, robust password protections, encryption, access credentials, access logs, periodic testing for vulnerabilities, and to ensure that physical access to the server is locked securely.
An independent body created by American Express, Discover, JCB, MasterCard, and Visa, known as the PCI Security Standards Council, oversees PCI DSS compliance. This body functions independently and serves to protect both merchants and customers.
This privacy law just makes good business sense. Non-compliance puts businesses at risk of malicious attacks and data theft. More directly, the organization would jeopardize their brand image, experience an interruption in sales, be susceptible to privacy-related lawsuits with fines as high as $100,000 each month, as well as higher transaction fees.
Children’s Online Privacy Protection Act (COPPA)
COPPA aims to protect the data of children under 13. This regulation works by placing the guardian or the parent in charge of the information collected on a website. Any company that wants to collect data on users under 13 must first get parental consent.
Enterprises that deal with children’s products and content deal with COPPA frequently. The FTC has guidelines to determine what content is considered children’s content. The deciding factors for children’s content include the subject matter, visual content, use of animated characters, age of actors, language used, etc.
Since its implementation, COPPA has forced YouTube to drastically change its operating model regarding children’s content after being fined $170 million for violations. As per their new operating procedures, videos for kids do not come with notifications, have closed comments, no advertisements, or any kind of info card or a community tab.
Each COPPA violation can go up to $43,280 in fines.
New York SHIELD Act
The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act is the counterpart to the law in California. It enforces the privacy behavior of all enterprises and organizations, regardless of size, that holds New York State residents’ data.
The SHIELD Act has two main parts. The first part requires all data breaches be reported and disclosed to New York regulators. The second part mandates that safeguards be put in place to improve security, protecting the confidentiality and integrity of data collected. However, it does not dictate what specific safeguards a company needs to put in place. Examples include better employee training, updating organizational security programs, risk assessment of the network, periodic system testing, improving data storage, or the disposal of data when it is not of any more use.
Each violation can be punished by up to $5000 in civil penalties.
The Health Insurance Portability and Accountability Act (HIPAA)
Privacy in healthcare is critical to protecting patients’ rights, but as healthcare goes “virtual,” data privacy and storage are critical. The HIPAA Privacy Rule focuses explicitly on patients’ data privacy, protecting their medical records and other personal health information.
The HIPAA Privacy Rule applies to health and insurance plans and healthcare providers that conduct care transactions electronically or store patient information and data online. It sets limits and conditions on when somebody can use patient data and personal health information without the patient’s consent. Additionally, it protects a patient’s right to examine and obtain a copy of the health record and request corrections.
Like other privacy laws, non-compliance has severe repercussions and can even be considered negligence. Individual violations carry a fine between $100 and $50,000. But, there is also a maximum penalty of $1.5 million per calendar year for violations. It’s more than just fines to consider. Some of these violations could even result in jail time for the individuals responsible for the violation.
Compliance & Support for Data Privacy
While a lot is uncertain, there’s no doubt that data privacy legislation will continue to evolve and expand. Gradually, more effective laws shall take shape as consumer concern grows. While this is beneficial for the consumer, more robust compliance regulations mean increased expenses for enterprises as they adjust to stay compliant with evolving data privacy laws. Making every effort to protect consumer data is critical, not merely for the sake of compliance or regulation, but to foster customer trust and protect its brand image. The expert team at Sanity Solutions can help you stay in compliance with a variety of data solutions. Our Sanity Capital program also gives you a flexible financing model to fit your enterprise’s needs to help you protect consumer data and avoid the repercussions of non-compliance. Contact Sanity Solutions today to get your compliance standards where they need to be.