2020 brought with it a number of changes to the regulations covering data privacy in the United States and worldwide. For many companies that often means understanding multiple foreign laws since they need to adhere to the data privacy laws of the country where their clients reside.

Federal, state and international regulations are applicable to all companies that store any kind of digital data. With recent amendments to California’s digital privacy law, the California Consumer Privacy Act (CCPA) that came into effect on January 1, 2020, regulations are now more stringent than ever before.

Understanding these laws and the effects they will have on your data management will help to ensure that your data security measures are compliant with all of the current regulations. 

A brief overview of US Federal and State Laws 

The United States doesn’t have a comprehensive federal law for data security, but the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act which came into effect on March 23, 2018 affects any US and international businesses that use cloud-based technology solutions housed in the United States. 

This act allows American law enforcement to request access to any data as long as it is stored in the United States, including the customer data of services such as Amazon, Google, and Microsoft. While, technically, the requests are limited to law enforcement, it does include the provision for the American government to enter into agreements with other countries allowing them access to the data as well.

The California Consumer Privacy Act (CCPA) affects any business that has annual gross revenues in excess of $25 million, possesses the personal information of 50,000 or more consumers, households, or devices; or earns more than half of its annual revenue from selling consumers’ personal information. While these requirements may seem like they only apply to larger businesses, it is easy for a medium-sized business to have a database of 50,000 prospects. 

Amendments to the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020 that require companies to inform their users if their information may be sold. It also requires companies to disclose the monetary value of user data, allow customers the right to refuse 

the sale of their personal information and provide avenues for users to have their data deleted.

Jurisdictionally, the CCPA applies to any business, and not just businesses based in California. The law covers the privacy of California residents, and as such any business which collects any form of information on Californians is subject to it, both nationally in the rest of the US and internationally. 

International regulations also affect data security

The General Data Protection Regulation 2016/679 (GDPR) came into effect in 2018 in the European Union (EU). It affects any business, including US-based companies, storing data on EU or European Economic Area (EEA) citizens. The GDPR lays out stringent principles regarding data use and transparency, storage, security, and accountability.

If you have any users based in the EU or EEA, the GDPR is enforceable. Personal data must be secure, private, not publicly available and revocable at any time. Users need to be informed of any data collection, its purpose and how it’s being shared. 

Should your company encounter a data breach, it must be reported within 72 hours if it has an effect on user privacy. If not, severe financial penalties can be levied; up to €20 million or up to 4% of the annual worldwide income of the preceding financial year, whichever is greater.

In Canada, The Digital Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal regulation covering any data stored by a for-profit business. Updated in 2018, the PIPEDA governs not just digital information but any private information collected during the course of doing business, what to do in the event of a data breach, and what digital security measures companies need to take with personal information. If you have Canadian customers and a data breach does occur, your company has a duty to record the breach, no matter how small, and notify the Canadian individuals who have had their data breached. If you fail to do so, you may be subject to significant penalties. 

Additionally, three Canadian provinces have separate laws protecting personal information; Alberta, Quebec and British Columbia

All of the data privacy regulations can be confusing. While technically, you should be paying attention to all of them, the GDPR and the California Consumer Privacy Act are the most stringent. If you tailor your marketing, data collection, and data storage methods to these two sets of regulations, you will be covering most of the others. 

These regulations should all be carefully analyzed by your organization in order to create comprehensive policies regarding the collection of customer information, the storage and security of that data and how to respond to a data breach should one occur.

Join us for the rest of this three part series. Part Two will discuss marketing with an eye to data privacy and Part Three will discuss choosing and locking down the right security technology solutions.