When General Data Protection Regulation (GDPR) laws came into force back in May, businesses across Europe had to drastically alter the way they handled their customers’ data – and with similar rules now being implemented in the US, attitudes of big business towards data privacy look set to change across the globe.
The California Consumer Privacy Act (CCPA) will take effect in January 2020 and start to be enforced by the Attorney General six months later. With many of the world’s most powerful tech companies calling the Golden State’s Silicon Valley home, CCPA is expected to have a significant impact far beyond California’s physical borders.
Modeled on GDPR, although less expensive to implement, the legislation is expected to receive the backing of Apple CEO Tim Cook, who spoke out in support of stricter privacy laws at the International Conference of Data Protection and Privacy Commissioners in October. Warning of the “weaponised” use of data against consumers, he confirmed that the company was “in full support of a comprehensive federal privacy law in the United States”. Microsoft CEO Satya Nadella has also praised GDPR in the past, while Facebook COO Sheryl Sandberg has previously declared that the social network is “open to regulation”.
The original ballot initiative came about through a privacy rights organisation but support quickly grew for a law to be passed through the normal procedures. The provisions of the actual law have ended up being less stringent than originally proposed, but they are not drastically different. If companies want a say in what any future regulations might look like, it makes sense for them to get onboard sooner rather than resisting completely.
The resulting CCPA is far more comprehensive than previous data protections laws, giving individuals more rights when it comes to guarding their personal information, with greater transparency around what info is collected. People will also be able to opt out of their details being sold and have more power to sue in the event of a breach. In a country with a reputation for being more litigious than others, that means businesses will need to take the new rules very seriously indeed.
Any business outside of California assuming that the legislation will not have an impact on them should bear in mind that many of the companies that will have to comply with the new rules are by no means constrained to the state, with their influence reaching right around the world. As well as Apple and Facebook, tech giants such as Google, Netflix and Twitter have headquarters in California but operate across the globe. Any changes they make to their own policies are likely to affect customers elsewhere too.
Then there is the fact that California is famously progressive and tends to lead where others follow. Implementing new rules in the state could open the floodgates for the other 49 to follow. In fact, the US National Telecommunications and Information Administration recently undertook a 30-day public hearing process to gather comments on its policy options for federal legislation. While the appetite for change is clear, it remains to be seen whether there will be a conflict between state and federal rights. From a practical standpoint, though, CCPA will set a new benchmark that could quite easily be used as a model for country wide implementation – unless a federal law gets there first, of course.
However any rules and regulations end up being implemented beyond California, there does seem to be a consensus that the focus on privacy is only going to spread, especially with data breaches becoming more common. This means that companies need to wise up when it comes to the way they handle any data that they collect. With the rise of AI and voice assistants, businesses also need to be more aware of the types of data they are in possession of and how they gather them.
As populations become more tech-savvy, data breaches are becoming more and more damaging to a company’s reputation, while under new rules, fines for committing them will also be more severe. Being able to protect user info and react accordingly when breaches occur is now essential for any business that handles personal data of any kind.
Support for California’s Consumer Privacy Act will protect the integrity of data-driven businesses across the globe, says Grant Caley, NetApp’s Chief Technologist for UK & Ireland
A company that already has a GDPR compliance program can make sure its Californian customer base is covered with just a few tweaks. If future laws also use GDPR as a blueprint, those that have already prepared will be in a better position to cope.
The overriding message is clear: be prepared, proactive and transparent – because tougher data protection is on the up and it is most definitely here to stay.
Grant Caley is UK & Ireland Chief Technologist at NetApp. He has been with the company since 2000 in various Engineering and Account Management roles.