Organizations must adapt to 'norm' under new data privacy regulations
With the increasing value of data, GDPR and California's Consumer Privacy Act of 2018 demonstrate that data privacy policies will continue to be a growing trend in 2019 and beyond.
Businesses should not look at each new policy as a one-time data fix, but rather as an on-going process that needs continued critical attention. Simply retrofitting applications for compliance after the fact is a risky approach; organizations need to view compliance as their foundation, and build applications with flexibility and agility when collecting, processing and analyzing data. This proactive approach will help organizations further secure their digital IT infrastructure from yet-to-be-announced compliance requirements.
The recent decision by the French Commission Nationale de l’Information et des Libertés (CNIL) to impose a fine of EUR 50 million against Google in January 2019 for violations of the GDPR offers a glimpse of what this trend could mean for EU-resident companies, as well as for any non-EU companies that process the data of individuals who are located within any EU member state.
Published only one week before the January 28, 2019 Data Privacy Day, the decision was CNIL’s first enforcement of the GDPR since it came into effect in May 2018, and it resulted in the largest-ever fine imposed in Europe for breach of data privacy regulations. Similar complaints have already been launched against several other major technology companies in France, Germany, Ireland and other European countries.
CNIL’s decision was based on what it referred to as violations by Google of “the essential principles of the GDPR” with respect to targeted advertising: a lack of transparency and a failure to obtain valid informed consent from consumers.
Specifically, CNIL argued that (1) notices were not easily accessible for users, (2) language in the notices was often generic and vague, as well as not comprehensive enough for all data processing purposes, (3) the consent obtained by Google was “ambiguous,” particularly because Google used pre-checked boxes to obtain consent, and (4) the consent was not sufficiently “specific,” in that Google was offering consent only once for all processing purposes and not specifically for each purpose.
International organizations that process the data of individuals in any EU member state should review their current practices to make sure the data processing notices they provide to users are written in simple terms and are comprehensive and easily accessible. Further, they can no longer rely on pre-checked boxes and need to obtain specific consent for each processing purpose. Users must have a real choice regarding each purpose for the processing of their data.
In the absence of a comprehensive federal data privacy law in the US, the California Consumer Privacy Act of 2018 (CCPA) follows in the footsteps of GDPR. As with the GDPR, the CCPA requires companies to provide transparency in how they are collecting, processing and sharing user data.
The new law, which will be enforced as of January 2020, provides new rights to California residents, including the right to be informed about the kinds of data companies have collected from them and the purpose for such data collection. Further, residents must be given a right to access and erasure of any of their data that has been collected, as well as a right to opt-out of any data selling.
As they prepare for CCPA readiness by January 2020, similar to GDPR, it will be crucial for organizations to have the ability to provide a data inventory and data mapping of personal data that is in scope of the new law, in real time. It will also be critical for companies to address any information security weaknesses and vulnerabilities in their IT systems.
The new regulations, and failure to comply, may significantly impact a company’s ability to generate revenues from targeted advertising. As most nationally operating organizations will have at least some customers in California, the CCPA will be directly applicable to them.
In addition, in recent weeks, attorneys general of several other states indicated that, with respect to their own state laws on data privacy, they are looking to the California model for guidance.
The CNIL’s decision to issue a $50 million fine against Google for GDPR violations should be a wake-up call for organizations that rely on consent for the processing of user data. Similarly, the upcoming CCPA compliance deadline means companies need to act now if they have not yet made data privacy compliance a key element of their business practices.