Changes in Consumer Data Privacy

Changes in Consumer
Data Privacy

Claire Williams | April 24, 2019

We’ve all been in this somewhat annoying situation– you’re on a website, and a little notification window pops up asking if the website can ‘access cookies.’ What most consumers don’t know is that these cookies are really your personal data. And when they click yes, that data often gets shared far beyond just that website.

Within the last year, California has become the first state to further a growing commitment to protect the rights of individuals to privacy of information. The California Consumer Privacy Act (CCPA) was passed with the intention that it would help provide California citizens with more protection from larger entities that may want their information or data. As of right now, it is in the process of being implemented and will be fully effective in July of 2020.

The basics of the CCPA are that California residents understand what personal data is being collected about them, if this personal data is being viewed, sold, etc., and have the ability to access their personal data that a company is either in the process of collecting or sharing.

CCPA affects the following types of companies: Companies that do business in California and have annual gross revenue that is more than $25 million, annually buy, share or sell personal data of 50,000 consumers or more, and derive 50% of their revenue from selling personal information.

If this sounds at all familiar, that’s because it is. The EU passed a regulation in 2016 called the General Data Protection Regulation (GDPR), which focuses on data privacy and protection for everyone who lives within the EU. Similar to the CCPA, GDPR gives individuals the right to privacy and their personal data. The CCPA is more focused on transparency and providing limitations to the amount of personal data that can be sold and gathered.

GDPR is much broader and focuses on more than just regional companies. There also is not a revenue floor for companies it affects, it applies to all established data controllers and processors in the EU. Since GDPR, the US has made an effort to give control of personal data to its residents. While California was the first state, the trend has caught on quickly with New York, Massachusetts, Georgia and other states starting to draft their own similar regulations.

As more and more states begin to focus on individual data privacy, it has others wondering what this means for the US as a whole. Will states continue to outline their own ideas about data privacy, or will the federal government as a whole create something similar to the EU’s GDPR?

This could impact larger entities that collect data on their customers, or companies that make a majority of their revenue from selling or sharing their users’/consumers’ private or personal data.

For example, Facebook recently received an enormous amount of backlash when they shared the profiles of unknowing and unwilling people to Cambridge Analytica.

So, what will companies have to do in order to adhere to CCPA?

First and foremost, they will have to inform their consumers that their data is or might be collected. They will also have to comply when individuals request their personal information. If any resident of California, (or any company that does interstate business with California) asks to see the information that is being gathered and potentially shared, they have to disclose it.

As with any new regulation that could impact a wide range of contracts, removing risk of non-compliance with CCPA will involve isolating which contracts need updating and why in order to kick off an organized repapering process.

Large companies need to be thinking strategically about their roadmap to full compliance and choosing the right people, process, and technology to execute that roadmap.