GDPR, the CA Consumer Privacy Act and You: 6 Essential data privacy questions answered
My thirteen-year-old son provides me with constant reminders of just how unconnected I am with the current generation. “You’re still using that social media application? Only moms and people over 30 are using that,” he noted. And I guess he’s right. I am both of those things.
Although my embracing of the digital age largely consists of sharing pictures, “liking” pictures of my family and friends, and a fair share of online purchasing to help manage our household, I never gave much thought to where my personal information was residing and how it was being used – until recent years. But it’s my information after all. Shouldn’t I know where my personal data is and who is viewing it?
The answer is yes.
New laws and legislation are being enacted around the globe, such as the General Data Protection Regulation (GDPR) in the European Union and, more recently, a legislation passed in California. What does this all mean? And will other states follow California’s lead?
First, the basics
What is GDPR?
Effective across the European Union (EU) in May of 2018, the General Data Protection Regulation (GDPR) set guidelines for the collection and processing of personal information of individuals within the EU. GDPR includes principles for data management, the rights of the individual and also imposed fines that can be revenue based. GDPR covers all companies that deal with data of EU citizens.
What is this legislation passed in California, and how is it similar to GDPR?
On June 28th, 2018, California Governor Jerry Brown signed data privacy legislation, which looks to provide California consumers with more control over the use and management of their personal information. The California Consumer Privacy Act, similar to GDPR, gives consumers the right to request that a business that collects personal information about them disclose information such as:
- The categories of personal information collected.
- The specific pieces of personal information collected.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
Supporters believe this is a step in the right direction in setting standards that other legislatures across the country will look to adopt. Initial opponents of the legislation, which included companies like Google, Facebook and AT&T, showed concern related to both implementation and impact.
The impact now and later
What does this mean?
For Georgia residents, the California Consumer Privacy Act should technically have little impact, but my gut (and research) tells me that the impact of this legislation will be felt much broader. Most major companies that deal in consumer data have California-based customers. These companies could choose to either apply any needed reform of their data privacy protections globally or apply a one-off approach for treating Californians differently versus everyone else. I imagine the last option could prove to be more expensive.
What’s to come?
Much of the discussion around technology this year has been driven by concerns over data privacy, especially with news of the Cambridge Analytica scandal and massive data breaches, one of which was here in my hometown of Atlanta. The digital age continues to expand its role in our daily lives and sensitive information continues to be housed in applications and with other third parties. Although California’s legislation will be a work in progress, other states such as South Carolina and Alabama have already passed data protection legislation as well. I’d argue that a standard is being set and legislatures across the country will soon look to implement in their states.
How to prepare
What can I do to prepare/protect myself now?
Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, recommends we try some of the following to limit or reduce the accessibility of our data online, including:
- Limiting our oversharing on social networking sites.
- Limiting our oversharing of personal information with social networking platforms.
- Turning off location services and frequently deleting cookies on our devices.
- Logging out of social media sites while we browse the web.
- Skipping out on signing up for store loyalty cards.
Additionally, there are browser add-ons that can help us to see and block tracking requests as we spend time online. There are also search engines that promise not to collect or share our information and even allow for anonymous internet browsing.
What can I do to prepare/protect my company’s consumer data?
This challenge is not a small one, especially considering the number of data points that have been and continue to be collected about many of us. Vetting and monitoring third-party applications that are used, limiting access to consumer data, and collecting only data that is necessary for business objectives are a few options that should be considered. Being transparent, accountable and setting an appropriate tone from the top around data collection and handling will go a long way in illustrating a company’s commitment to data privacy.
Final thoughts
Time will tell how this will impact the way in which we operate online. But regulations that provide consumers more control over their information is sure to receive a lot of “likes.”
Journet Greene is a Senior Manager in Moore Colson’s Risk Advisory and Compliance Services Practice. She leads Sarbanes Oxley (SOX) initiatives, internal audits, SOC audits, and other compliance engagements. Corporations call on Journet to build strategies to identify and manage potential risk.