This week, the General Data Protection Regulation (GDPR) marks its second year of enforcement as a standard set of requirements to protect consumer data and privacy across the European Union. And even as some organizations continue to struggle with compliance, and despite BREXIT complications, GDPR is now solidly the law of the land for any company or organization wishing to do business in the EU.
Why is that important? It’s because by forming a single set of adopted standards across the EU, organizations have a common and comprehensive set of rules to help guide the way they responsibly market in that region. The approach is the opposite of the U.S., which lacks a national standard and instead allows individual states and industries to form their own laws.
However, achieving an agreed-upon set of privacy rules wasn’t easy for the EU. It took four years to develop and approve GDPR and two more years to give businesses time to gain compliance before it was enforced.
But once completed, GDPR gave citizens of EU countries one of the strongest mandates ever handed down to protect their identities and dictate how their personal data is used. Now they have the power to instruct any marketing function, promotion, or website to remove their information within 30 days and require companies to notify them if their data is being used and seek their permission to market to them.
Any company or organization that fails to comply with these requirements can face a penalty of 4 percent of their global turnover, or up to €20 million. Some of the most substantial penalties so far have been handed down to UK British Airways ($230 million), Marriott ($123 million), and US Equifax ($575 million).
After two years of enforcement, GDPR has become the overarching model for other consumer privacy laws.
“When the European Commission started drafting GDPR, they took a look at common data practices, issues, and challenges across EU countries. And they aligned with leading international standards like ISO 27001 used by several countries to govern data use through specific requirements,” said Alan Cook, an IT compliance consultant in the UK. “And so by drawing on those collective practices, they were able to put together a single set of comprehensive requirements that businesses from all countries can follow. It really takes the guesswork out of how you manage personal information of your customers and prospects.”
U.S. businesses, however, are forced to navigate a variety of U.S. and industry compliance measures, which makes it far trickier to follow, and opens the door to potential slip-ups.
“What that means is that U.S. companies now need to take time to review registration lists, or business cards, or any other form of information to verify where the prospect lives,” Cook said. “They have to also look at information online for any potential leads that might come over their website. At the same time, there’s a whole host of other requirements U.S. companies must check off when working and managing customer data from overseas.”
Also, U.S. companies must juggle compliance with various other state and industry data privacy regulations, such as the recently enacted California Consumer Privacy Act (CCPA), patterned on GDPR. And if the company is in the banking or financial market, they have to adhere to the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to explain how they share and protect their customers’ private information. The same applies to companies in the healthcare industry with the Health Insurance Portability and Accountability Act (HIPAA).
Of course, the same complexity can be experienced by a UK company doing business in the U.S.
The full alphabet soup of state data privacy laws includes:
Similar to many aspects of GDPR, CCPA dictates how businesses worldwide manage the personal information of California residents. The law was enacted in January and applies to for-profit companies that sell the personal information of more than 50,000 California residents annually, or have annual gross revenue exceeding $25 million. Residents must be informed their data is being used and given the option to opt-out. Fines can range from $7,500 per violation and $750 per person affected.
Last July, the state of New York approved the “Stop Hacks and Improve Electronic Data Security Act” (the “SHIELD Act”), serving as an update to the state’s data breach notification and cybersecurity laws. The new law adds three types of personal information to be protected, including credit and debit card account numbers, biometric information, and username or e-mail addresses. It also expands the definition of a “breach” to include any unauthorized access to private information. This law applies to all companies regardless of revenue size. Fines range up to $750 per person affected.
Massachusetts Data Privacy Law
Massachusetts updated its data breach notification law in April 2019 to, among other things, change the way consumers are notified of a breach involving their personal data. Before the new law, organizations were required to alert individuals after a breach occurred. The new law focuses on incorporating security measures that prevent breaches from happening in the first place. The law applies to all companies with revenues of more than $10 million. Similar to the other state regulations, fines can reach up to $750 per person affected.
North Dakota Privacy Law
Last year North Dakota lawmakers signed what could be one of the weakest state privacy laws, which restricts websites from passing any information to third parties without users’ consent. It is the only state law that doesn’t enable individuals to have their data removed or deleted after consent is granted. And there are specific considerations when determining if a breach is reportable. The law applies to companies with revenue of more than $25 million.
Maryland Online Consumer Protection Act
Maryland’s legislation is currently in review as SB 613 and is designed to expand upon the groundwork of CCPA. However, this bill goes a bit further when notifying citizens when their data is sold or transferred. Under CCPA, individuals are notified only if their data has been sold to a third party. Maryland’s bill requires notification if the data is transferred to third parties for free. It also prohibits websites from knowingly disclosing any personal information collected about children. The law applies to companies with more than $25 million in revenue.
Hawaii Consumer Privacy Protection Act
Hawaii’s SB 418 is similar to the CCPA but applies to websites from anywhere in the world. However, as the bill is considered, it’s likely to be amended to apply only to websites within its state, similar to CCPA.
All of these states give consumers the right to access their data and, except for North Dakota, the right to have that information deleted. Only New York grants consumers the right to correct any data online. Even as the U.S. allows states to develop their online privacy laws, it’s possible that enough of these different requirements will drive demand for a national standard. But until then, marketing organizations will have to drive for compliance across a broader and more diverse landscape of rules.