Organizations await ‘inevitable’ data privacy rules, but which ones?
The topic of data privacy was front and center on the minds of lawmakers this week as Facebook CEO Mark Zuckerberg went before Congress to discuss how the company manages customer data. One of the biggest takeaways of Zuckerberg’s two days of testimony is that, as Zuckerberg himself said, some form of data privacy legislation is “inevitable.”
But there are already a number of proposed and soon-to-be-enacted data privacy regulations that information managers need to keep a close eye on.
One bill, introduced this week by Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.), would serve as a “privacy bill of rights.” Called CONSENT, it requires opt-in permissions from users to use, share or sell their personal data.
Another piece of legislation called the Honest Ads Act, proposed last October by Sens. Mark Warner (D.-Va), Amy Klobuchar (D.-Minn.) and John McCain (R-Ariz.), would require data managers to keep a “complete record” on advertisers who spent in excess of $500 on political ads the year before.
Then there’s the EU’s General Data Protection Regulation (GDPR), which will take effect May 25. All companies worldwide that hold data on EU citizens must follow the GDPR guidelines, which call for data managers to better protect customer privacy and notify customers within 72 hours of a data breach. GDPR also requires that organizations inform EU citizens how their personal data is used, and guarantees the right to be forgotten – enabling citizens to request that their personal data be permanently deleted if they request it.
“GDPR in general is going to be a very positive step for the Internet,” Zuckerberg told Congress on April 11. He added that giving users the controls “makes sense to do more.”
Data managers are already making adjustments in accordance with GDPR, according to Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University and former chief technologist at the FTC.
“We are already seeing that impact from companies with a European presence,” Cranor said. “They are updating their privacy policies and controls. They are adding more consent boxes, setting expiration times for data, and making it easier to update and remove data. In general I think there is going to be a lot more tracking of what data is collected and where it goes, and the ability to let customers control their data.”
But IT managers may need to do more if proposed U.S. data governance legislation becomes law.
Creating opt-in requirements for data collection, for example, could affect the bottom line of any company that counts on an advertising revenue stream, noted Charles King, president and principal analyst at Pund-IT.
“That means that companies, including social media giants such as Facebook, would be required to gain users’ explicit permission before commercially exploiting their data,” King said. “That could have a measurable impact on those companies’ ability to generate revenues and be profitable.”
Tighter data regs could also hinder financial service companies, such as insurers, if U.S. lawmakers look to implement the data privacy statutes established in Europe, said Mitch Wein, vice president of research and consulting at Novarica. At a high level, the EU assumes data ownership always remains with the individual. That means private information cannot be sold or reused in anyway without permission.
This kind of regulation means insurers would be unable to use customer data to recommend and underwrite core products from other lines of business at the point of sale, Wein said. Under longstanding EU rules, which have been rolled into the governing body’s existing GDPR framework, consumers also reserve the right to withdraw their consent at any point.
“What if consent is withdrawn, how do regulators guarantee it’s deleted?” Wein said. “Data is stored in the cloud, and in a lot of other places. How do insurers properly delete it?”
One way companies can keep data secure is by implementing blockchain. Because blockchain has a data structure that can be time-stamped and signed using a private key to prevent tampering, the technology is seen as a natural fit for managing the accountability, authentication, confidentiality and sharing of information.
As data privacy regulations become tighter, retailers may need to change how they use geolocation and wireless beacons to keep track of user purchasing preferences. Companies such as Amazon rely on archived customer data to decide how to stock its new retail bookstores. Beacons draw data from customers’ smartphones and wearable devices.
New data privacy regulations could also limit how retailers collect insights from mobile payment patterns. They use POS data to better forecast sales, boost promotional effectiveness and reduce the number of out-of-stock items.
To keep retail data secure, retailers should remain compliant with the Payment Card Industry Data Security Standard (PCI DSS), including following the latest version of the Transport Layer Security (TLS) protocol.
As for the CONSENT legislation announced this week, don’t look for it to impact data managers in the near future.
“I think we are a long way off from having something actually pass, so for the time being, there will be no impact,” Cranor said. “What the impact is will depend on what actually passes.”
Still, data managers will grapple with other regulations like GDPR for some time to come.