Businesses in our community provide goods and services to consumers around the world. Our region exports light manufacturing, custom tents and structures, large format banners, satellite communications as a service, ecommerce fulfillment services, personal brand engagement services and food products, just to name a few. In the course of business, companies acquire and store personal customer data and recently enacted laws in the U.S. and the European Union will have an impact on the storage and use of these data. These new laws have a global reach and the penalties for violations are designed to be severe.
The European Union enacted the General Data Protection Regulation (GDPR), effective on March 25, 2018. California recently followed suit with the California Consumer Privacy Act (CCPR), which goes into effect in 2020. Both laws impose penalties on businesses for failure to protect the privacy of personal data provided to businesses by individuals.
For the GDPR, Individual Consent is Key
The European Union is an economic behemoth boasting the second largest economy in the world with a population of roughly 500 million people. In an attempt to protect EU citizens’ personal data from privacy and data breaches, the EU enacted the GDPR which imposes a wide ranging definition of personal data, including basic identifying information including name, address, web data like location, IP address, stored cookies and RFID tags, health and genetic data, biometric data, ethnicity, political opinions, and sexual orientation.
The GDPR mandates that businesses receive customer consent prior to processing or storing customer data. The request for consent must explain the purposes and basis for processing personal information, identify who receives personal data, state how long personal data will be stored, explain the right to access, rectify or erase personal information as well as the right to object to data processing. EU consumers have the right to withdraw consent, which requires a business to respond and act upon the request in a reasonable time frame.
The GDPR requires companies to notify a customer or client of a breach within 72 hours of discovery. Data breaches are an increasingly common occurrence and the GDPR requires companies to not only take steps to protect the personal data being stored but to sound the alarm in the event of a data breach.
The GDPR gives consumers the right to request their data to be deleted. When that occurs, companies must remove all traces of the consumer’s data from its systems as well as other third party repositories where the data may have been shared or stored.
New California Law Shows Trend Towards Data Protection
California enacted a law that bears a striking resemblance to the GDPR. The California Consumer Privacy Act (CCPA) was quickly introduced into the California legislature in June of 2018 and signed by Governor Jerry Brown that same month.
Like the EU, the economy of California is massive and is estimated to be the fifth largest in the world. The population is 40 million people and given the size of its economy and population, it is extremely likely that local businesses are coming into contact with consumers in California.
The CCPA provides California consumers four basic rights relating to their personal information. These rights are substantially similar to the principles of the GDPR:
First, a resident in California has the right to know what personal information a business has collected about them, where it was sourced from, what the data is being used for, and whether it is being disclosed or sold to third parties.
Second, California residents have the right to opt out of permitting a business to sell their personal information to third parties. Additionally, consumers under the age of 16 have the right to have their personal information to not be sold without their, or their parent’s, opt-in.
Third, there is the right to have a business delete personal information. Under this provision, a consumer may request a business remove personal information from its storage.
Fourth, a California resident has the right to receive equal service and pricing from a business, even if that resident exercised their privacy rights under the CCPA. In effect, this protects California residents from discrimination.
Less is More with Personal Data
Both laws mandate the importance of taking steps to protect data collected from consumers. As a starting point for compliance, businesses should review what personal data is collected from individuals. In this review, make sure data is processed for authorized purposes and do not collect personal data just for the sake of having it or because it could be useful in the future.
Next, businesses should create a privacy policy that outlines disclosures on how data is used. The privacy policy should detail all types of data collected, how the data is being used, how a user can delete the data and objections a consumer may make on the use of their data. The privacy policy should be reviewed and updated every 12 months to ensure the policy is up to date.
A best practice is to adopt a policy of data minimalization, storing personal data required for a specified time for a stated purpose. The data should be destroyed if it is no longer needed for the intended purpose or is outside the expressed duration. Holding on to personal data without an intended purpose may create liabilities for businesses and, in the event of a breach, erode the confidence of consumers whose data was accessed.
Personal data carries new risks for northern Michigan companies. As businesses from our community continue to expand to the global market, proactive steps to protect personal data will help comply with the changing landscape of the law. Most importantly, steps taken now to transparently collect and store personal data will help companies earn the trust of consumers across the world.
This article was featured in the Traverse City Business News, September 2018 edition.
Share on Twitter Share on Facebook