The European Union has enacted the General Data Protection Regulation (GDPR), a set of rules which provides residents specific rights on the personal information that a company can collect on them.
Closer to home, California has already passed similar legislation. The California Consumer Privacy Act (CCPA) closely mimics the GDPR and is scheduled to go into effect in 2020. If your company collects personal data such as addresses, phone numbers, and e-mail addresses, and some of these individuals are located in California, you may be subject to this legislation.
Below are the main points of the CCPA:
- Consumers will be able to request the specific information collected about them – at no cost. If you are a business (as defined by the Act), you will need to be able to quickly search, compile, and send data reports to consumers. The critical first step in compliance will be to determine where all of this data currently resides (e.g., email programs, customer lists, key contacts, vendor files, payroll files, cell phones).
- Businesses will need to establish clear policies on personal information – where it is received and stored, what it is being used for, and any third parties with which it is being shared.
- A clear and conspicuous link will need to be displayed on the home page of a business’s website titled “Do Not Sell My Personal Information.” Businesses may need to designate an employee to oversee compliance with consumer privacy laws and stay up-to-date on the various rules and regulations in each state. There will be a great deal of pressure on states to enact rules that are at least equal to the most stringent state.
- Consumers will have the right to request that their personal information be deleted (with exceptions). Therefore, businesses will need to be able to search all of their data sources and delete personal information for anyone who requests it. In addition, businesses must provide equal service and equal rights to those who opt out.
Vermont recently passed its own data privacy law, and many other states have bills in progress to address this issue. Unfortunately for businesses, these rules are just going to become more complex and restrictive. Hopefully, legislation can be created at the national level before that happens so companies are not forced to comply with 52 different rules (as they are today with sales taxes).
Even if you don’t think the state legislation will impact your organization, you may still be affected. If you do business with a company that is GDPR compliant because they do work in the European Union, you will probably receive a questionnaire to determine whether you are compliant. If not, and you gather personal information, you could risk losing the business with that company.
We have already spoken to many clients who have begun the process to become compliant. They are hiring consultants that specialize in this area, and are learning that it’s not a cheap process if you have not done any prep work in advance. At a minimum, start by identifying where this data is currently being stored, how it is being handled, and with which other companies you share the data.
We don’t believe this data privacy trend will go away; in fact, it will likely intensify. We think it is similar to the cyber security trend that began a few years ago – rules and regulations are coming and businesses will be responsible for complying with them. It’s a good idea to start the process now by getting up to speed on current and pending legislation, and determining how it may impact your organization.
David E. Shaffer is a director with Kreischer Miller and a specialist for the Center for Private Company Excellence. Contact him at Email.
You may also like: