If your company is still grappling with Europe’s data protection laws, then you’ll want to step up your game. You’ll soon have American data protection laws to deal with, too. California’s Consumer Privacy Act (CCPA) goes into effect January 1, 2020 — that’s less than 3 months away. And additional American legislation is wending its way through various state houses in the United States, starting with New York (SHIELD Act).
Regardless of where your company is based, if you serve customers who live in California and New York, you must be compliant or face fines.
Since Europe rolled out GDPR, its landmark data privacy rules, 18 months ago, the online industry, despite having two years to prepare, has been hit with fine after fine for violations. During GDPR’s first year, 90,000+ businesses voluntarily reported breaches as they struggled to attain compliance. This was topped with 145,000+ consumer complaints. Like most legislation, ignorance of the law is no excuse — and likewise, the offender’s intent provides no safe harbor. Regulators pay no heed to whether a breach is accidental or the result of outright negligence. They do, however, levy greater fines for obvious, deliberate, or willful flaunting of the law. And EU regulators have famously made an example of some well-known companies.
In January 2019, Google paid a €50 million fine to French authorities for its lack of transparency in the collection and use of personal data for ad targeting. A few months earlier, a Portuguese hospital paid €400,000 for its poor patient record control practices. (For convenience, systems administrators created nearly 1,000 doctor-level access accounts. This allowed almost 1,000 user accounts to have unrestricted access to patient data when there were fewer than 300 actual doctors on staff.) A Danish taxi company was fined 1.2 million kroner after it was discovered they had been hoarding more than 9 million customer records containing personally identifiable information, long after these were required for business purposes. This was in contravention of the GDPR’s requirement to delete customer records when no longer required. And to the cheers of millions, Polish authorities pounced on a spamming operation in their country that scraped email addresses from public web pages and aggregated these for sending unsolicited commercial email. 12,000 recipients from a 90,000-strong distribution list complained, resulting in a €220,000 fine.
This list is far from exhaustive. An online GDPR enforcement tracker is attempting to capture all of the abuses reported by European authorities under the new legislation, including a pending €204 million fine against British Airways for a compromise involving 500,000 of its customers’ payment information.
Comparing the GDPR and CCPA: Some highlights
There are some key differences between the CCPA and GDPR. Broadly, the CCPA is less prescriptive about acceptable practices than GDPR, and even in the case of a reported infraction, the per-incident fine is insignificant unless a very large number of users report the problem.
Minimum standard for being on the CCPA radar. Whereas the GDPR essentially has no minimum criteria for applicability, the CCPA will likely not govern your activity if your revenue is under $25 million and you’re not in the business of transacting the personal data of more than 50,000 users — even if you have a breach. But if you do meet the minimum standard, your service gets compromised, and user data to is breached, CCPA bites down significantly harder than GDPR.
Extent of fines. GDPR has caps in place to ensure that fines do not exceed a significant portion of an offender’s revenue, but the only limit to the fines that could be levied against a CCPA offender is the number of users affected. The CCPA sets out a per user fine of $100 – $750 or actual damages (whichever is larger) for even an unintentional breach, so a smallish web service experiencing a breach of 1 million user accounts could easily be fined out of existence.
User opt-out vs. opt-in. Under CCPA, users must opt out from information sharing with third-parties, whereas GDPR demands that users explicitly opt-in. In more general terms, the CCPA is more lenient (though it emphasises different attributes) around proactive disclosure and handling of minors. Speaking broadly, if your service is GDPR compliant, your practices will generally meet or exceed the expectations of CCPA.
Less than half of companies appear ready
The extraterritoriality of GDPR means that if your business serves European customers, you’re obligated to meet this legislation’s stringent requirements, regardless of where your company is located. Similarly, if you’re operating in or serving customers in any way in the United States, the New York and California-mandated protections will apply to you and your customers.
According to an August 2019 IAPP and OneTrust survey of mostly US businesses (of all sizes), while 74 percent of survey respondents believe their employer needs to comply with California’s upcoming privacy rules, only around 2 percentsaid their companies are already fully prepared for it. Despite the growing havoc wreaked by GDPR, only 47 percent of survey respondents are expecting to be prepared for CCPA by the January 1 deadline. This is particularly true for organizations who are still not yet GDPR compliant. If your company isn’t ready, then it’s time to get serious. As GDPR has demonstrated, even a small, localized misjudgment can have huge consequences.
Even if you don’t think either of these laws applies to your business today, it makes sense to apply their standards anyway. Non-applicability under the law does not exempt an organization from liability against civil suits in the event of a breach or compromised standards. Both these, and pending legislation around across the US and around the world, set a standard that judges may look at when considering cases (as yet untested under these laws) directly between companies and affected customers. And at the end of the day, protecting customers ultimately protects the trust in and reputation of your business and your brand — things that could have a higher value than potential fines now or down the road.
Rakesh Soni is the Co-Founder and CEO of CIAM service provider LoginRadius.