The following is a guest post from Jack Carvel, general counsel at Qubit.
May 2019 marks the one year anniversary of the implementation of the General Data Protection Regulation (GDPR), the most substantial change in data privacy regulation in decades. While the GDPR has done significant good in raising awareness around individuals' rights when it comes to data, the story of enforcement has been entirely different.
The surprising lack of large fines and the continued misuse of third party data, which many thought would cease to exist altogether, has been glaring this past year. However, this can still change with the implementation of new legislation, such as the anticipated ePrivacy component — the next element of the EU's data protection regime that is anticipated to go into effect soon — and a major data privacy development coming to the U.S. in January 2020: the California Consumer Privacy Act (CCPA). In this post, I'll discuss lessons learned from the GDPR after one year and tips for how to best prepare for the CCPA and other more stringent legislation that's anticipated in the near future.
GDPR: "A+" for awareness, "D" for enforcement
First, let's give credit where it's due: the GDPR has been very good for businesses that have taken it seriously. It has led to healthier customer databases with a clearer understanding of customers and a better insight into their behavior.
Last spring was a bit like applying the Kondo Method or spring cleaning to data as businesses all over the world were undergoing the process of understanding where their data is stored and what's going on with it. Everyone focused on data protection for just a few months, making the online world safer and more secure. And, the scrutiny has improved tremendously. There have been a handful of fines, and among them a significant one for Google at 50 million euros. At the outset, many in the industry assumed that such fines would become the norm, but we haven't seen that yet.
An area where the GDPR has been particularly lackluster is in its dealings with third-party data brokers. There's a lot of bad practice out there with companies whose entire business model relies upon selling second-hand or third-hand data. This data can be easily copied, disclosed and fed to parties without the consumer ever knowing — and was probably obtained without consent or understanding of what data was being collected and why. With the GDPR, many expected that to end, but the regulators have not gone after these abusive data practices.
There are also smaller companies in the U.S. (and in other jurisdictions outside the EU) that are not complying with the standards. They don't have the resources to comply with different data regimes and they don't have in-house counsel to monitor compliance, so they just assume the risk. With these companies, when there's a breach, there's very little transparency, as regulators aren't able to verify the accuracy of the statements. However, non-compliance is a very risky strategy. Consumers are becoming much more aware of their data rights and the value of their data, so while a company may avoid fines, they're risking their brand equity and reputation should they experience a data breach — and that may be even worse than fines.
Stricter enforcement could be coming
There are data privacy regulations that are anticipated that may change the game with enforcement. One significant development that's coming is the ePrivacy Regulation, which defines policies about cookies, what consent is needed, who companies can email and for what reasons, tracking and so on, adding a more definitive layer to the broader concept of personal data. This is likely to trigger more enforcement because regulators will use both the GDPR and ePrivacy regulation jointly, though it's still months away.
Another law on the horizon that will change how businesses operate is the CCPA. What's key here is that this is the first of this type of legislation that is rooted in the U.S. We may not be seeing as much buzz around this upcoming regulation, perhaps because it's not a federal law, but companies that do not prepare for this may be very unpleasantly surprised with penalties, such as up to $7,500 per CCPA violation and $750 per each record compromised — which can add up to a considerable sum and may be devastating for a smaller business.
Some advice for retailers
Retailers, especially those in the U.S. that have not gone through the rigorous process of preparing for the GDPR that global companies have, must consider the significant advance preparation needed to comply with the upcoming policies. California is likely to be stricter in imposing hefty non-compliance fines than what we've observed with the GDPR. Large global brands may already be prepared for the CCPA due in part to their preparations for the GDPR and the painstaking data scrutiny that has existed in Europe for some time now. However, smaller businesses may be caught off-guard by the rigorous data privacy and compliance investigations that are coming. Here are some tips that may help U.S. companies, and those that wish to continue to do business in California help to prepare for upcoming legislation:
- Even though it's not a firm requirement of the CCPA, creating a "record of processing" should be the first step: identify what data you're collecting and exactly what you're doing with it. By undergoing this process, you will understand what scope you fall into within the CCPA. You must walk into the process with a thorough understanding of all of this.
- Of course data is valuable, but more data doesn't necessarily mean more value. If you don't know why you're collecting it, get rid of it. Data that isn't useful to your company is just costing you money in storage costs, and is increasing your exposure to data breaches. Deleting data can feel scary, but it's an incredibly empowering step to take, and will ultimately make your data-driven decision making more efficient. Many companies have seen increased conversion rates and more effective targeting when using clean data sets.
- Under the GDPR, there's a requirement for a data protection officer in some cases. This is a good idea in general: make someone accountable for data privacy and for preparing the company to meet its obligations under the applicable legal regimes. Furthermore, make sure this individual has high visibility. With the CCPA, there isn't a requirement that this person report to senior management, as in GDPR; however, it would be a very good idea to ensure that senior management is well aware of what the internal auditor finds.
- Reach out proactively to your vendors and partners to understand what happens in specific scenarios; would they be able to help you with requirements within specific timeframes? Talk about the process. When you start this conversation with the other parties your business works with, it will quickly be clear if they will be able to help and comply.
- Understand the positive benefits of data privacy laws to your business. These policies empower companies to make their customer databases healthier and more active, reduce costs related to data storage, and develop more personal communications to those individuals who want to receive them.
- Make it fun. End-users are much more likely to understand and consent to your data handling practices if you use plain and simple language, and show the benefits to them of what you're doing. If you can't justify the collection, perhaps it's worth reconsidering whether you really need it!
It may not be easy to develop and execute processes for compliance, but when this is done, it will make the world a better place. And for well-prepared companies, it can even mean a boost for their business.