Failure to protect people’s personal information is an avoidable gaff. Privacy is a hot topic in the E.U. and the U.S. over the last few years, with new regulations cropping up, like GDPR, CCPA, Privacy Shield, COPPA. (We’ll explain some of those later.) And Congress has already stated their intention to pass a federal privacy law.
Why should you care about data privacy?
Some believe that consumers aren’t particularly concerned with data privacy, and don’t take the time to read privacy policies. But research shows otherwise.
The problem is, privacy policies are so contrived, it would take more than a week to read the privacy policies for the websites you visit. Who wants to do that?
Today’s privacy policies are simply compliance documents: written for lawyers, not consumers, as a way for companies to cover themselves for mishandling users’ personal data.
A study by Carnegie Mellon found that it would take the average Internet user between 181 and 304 hours each year to read all the privacy policies for websites they visit (and those policies get updated every year).
The GDPR: a practical framework for handling data security
The goal of the GDPR is to unify data privacy laws across Europe, protect and empower all EU citizens’ data privacy, and cohesively shape the way organizations across the region approach data privacy.
To whom does the GDPR apply?
The GDPR applies to organizations located within the EU, as well as organizations located outside of the EU. Article 3 of the GDPR states that if you collect personal data or behavioral information from someone in an EU country, regardless of your company’s location, you are subject to the requirements of the GDPR. However, this only applies for consumers physically in the EU—if an EU citizen is actually outside the EU when they access your site this would not apply.
GDPR vs. the California Consumers Privacy Act (CCPA)
A new data-privacy regulation in the U.S., the CCPA, goes into effect on January 1, 2020 (actual enforcement date will be 7/1/2020). This law applies only to businesses (based inside or outside of California) that:
- Generate $25 million in revenue annually
- Acquire information on 50K+ California consumers, households, or devices
- Derive 50% or more of their revenue from the sale of personal information
Where California goes, other states will likely follow. As the California Attorney General’s office gets overwhelmed with compliance violations and complaints, other states will likely become more prescriptive when crafting their regulatory policies. This will likely lead to varying laws across the nation that will apply to some companies and consumers, but not all, and will become increasingly difficult to track. However, lobbyists and members of Congress are talking about creating a federal-level data privacy legislation to simplify and align it all.
The best way to proceed: Align with GDPR but keep in mind CCPA
If this all sounds too complicated, just contact us. We’re happy to help you sift through the details and create a policy that’s suited to your business.
This blog post provides information about data privacy laws to help you understand the potential legal issues associated with them, but should NOT be considered legal advice. We highly recommend you consult with a lawyer to determine the application of data privacy laws to your company’s specific circumstances. While we have conducted extensive research to determine that our content here is as accurate as possible, you should consider this blog post as intended for informational purposes only.
* From a 2013 study by the Pew Research Center.