Progressive state data privacy laws — new in 2020
2020 is going to be a big year for companies to pay attention to their data privacy practices. On January 1, the California Consumer Privacy Act (CCPA) goes into effect. It’s a “far-reaching law that will put some of the world’s strictest rules on how tech companies — many of which call the state home — handle and collect user data,” say Cyrus Farivar and David Ingram of NBC News.
Consumer advocates have been calling for legislation like this for so long, it may sound too good to be true. Some might point out that we need this kind of protection at the national level, and that is the hope of the proponents of California’s new law. They’re counting on companies not wanting to make a special website just for Californians.
As usual, California and Europe (with its newly minted GDPR, effective May 2019) are pushing the envelope and forcing American legislators to deal with these issues.
Other states are working on their own consumer privacy legislation. Here are some highlights compiled by Comparitech.com:
· Maine introduced a new data protection act in 2019 that stipulates internet service providers cannot “use, disclose, sell, or permit access to customer personal information” without customer consent, save for certain exemptions such as complying with a court order
· Nevada passed an act on October 1, 2019 that allows customers to opt out of online data sharing
· South Dakota passed a shield law to protect journalists in March
· Utah passed a bill in 2019 that prevents a wide range of providers from handing over user data to law enforcement without a warrant
· State scores moderately correlate (r = 0.4) with how they voted in the 2016 presidential election. Those that voted for Clinton tended to have higher privacy scores.
Federal proposal pushes to slap more than wrists
The California act is an encouraging sign to those working for consumer privacy protection at the federal level. Senator Ron Wyden (D-OR) has proposed the Mind Your Own Business Act, an update to a similar bill he brought forward in 2018. Between the two proposals, he has spent the year improving the bill by consulting data privacy experts and working to gain supporters.
The Mind Your Own Business Act proposes to allow state attorneys general to enforce the data privacy regulations, as California’s attorney general, Xavier Becerra, is preparing to do. This proposed legislation also allows for privacy watchdogs to sue companies on behalf of people affected by data violations. Still more, it imposes tax penalties on companies when their CEOs lie about privacy practices, which would be based on the executive’s salary.
For example, one current federal privacy law is the Children’s Online Privacy Protection Act (COPPA). In September 2019, YouTube was fined $170 million for violations, which was the largest fine ever levied for this act. For Google, however, who owns YouTube, the fine was seen as a slap on the wrist, given that the fine amounts to about 2 days’ worth of profit.
Under the Mind Your Business Act, fines of this nature would be heftier, going up to 4% of the company’s annual revenue for a first-time offense. If that had been in effect during the FTC’s fine against YouTube, it would have been a $4.64 billion fine, rather than $170 million.
In response to Facebook’s recent record-breaking fine of $5 billion (which amounts to less than one-quarter of its revenues in 2018), Wyden said,
“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences,” Wyden said in a statement. “A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government.”
Wyden’s proposed punishments also include 10 to 20 years in prison for senior executives that lie about their privacy standards.
What about you?
In short, 2020 could cost your company a lot of money if you aren’t paying attention to the way you are protecting your users’ data. IBM found that the average cost of a data breach in 2019 so far is $3.92 million globally and $8.19 million for companies in the U.S. Ouch.
So where do the solutions lie inside your company? In many businesses, the compliance department is set up as a watchdog. They’re constantly reacting to problems, putting out fires.
It’s time to get proactive. Security and consumer data privacy begins with developers and engineers. Start building your software and apps with the protection of your customers in mind.
Failing to prepare with careful measures to guard against data breaches and unauthorized selling of data could cost you millions or more, as state and federal regulations are ramping up consumer protections. In this environment, where trust in corporations is low and executives are being called to account for their shady or unwise choices, your company can stand out as a pioneer in consumer protection.
StrongSalt’s encryption as a service API is giving enterprises that lifeline to stay compliant, profitable and safe. StrongSalt is building privacy from the inside out by making encryption a standard protection for consumer data.