The trend in data privacy is not your friend right now. In the wake of the newly enacted General Data Protection Regulation in the European Union that just went into effect in May of 2018, and in the shadow of the pending U.S. Cloud Act and the U.S. Encrypt Act, California’s new regulation sets the bar higher than ever before for U.S. companies. It is pretty clear that companies doing business in the U.S. will require the same data privacy controls and capabilities that multinationals need to do business in the European Union require today. As always, “failure to protect the data” signals the same need GDPR has for end-to-end encryption, tokenization, and data residency.
California passed what is considered to be the absolute toughest data privacy law in the United States. The California Consumer Privacy Act of 2018 was approved by the California State Governor on June 28, 2018, and goes into effect on January 1, 2020. The law applies to any business that has more than $25 million in revenue, or buys or sells the personal information of 50,000 or more consumers, or derives 50 percent or more of its annual revenue from selling consumers’ personal information, and that does any amount of business in the State of California.
The tone of the legislation is quite aggressive. The legislation specifically cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica. The legislation also references recent congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft. This prompted the California legislature to move rapidly to protect Californians’ right to privacy by giving consumers much more control of their personal information.
The California Consumer Privacy Act of 2018 is similar in many ways to the European Union General Data Privacy Regulation (GDPR). GDPR fines can reach as much as four percent of the company’s prior year global revenue. The California Consumer Privacy Act has a damage limit of $750 per person for each violation, but, in some cases, the violation penalty can be much higher.
GDPR also has an inviolate 72-hour window for breach notification, and the California Consumer Privacy Act of 2018 doesn’t. In most other areas, the legislation is quite similar and suggests the need for broadscale changes to corporate operating procedures within governance and compliance as well as changes to software systems and security infrastructure.
California has always been a first-mover on data privacy and generally sets the requirements adopted nationwide by other states. In 2002, California was the first state to enact data breach notification. This was followed by the adoption of similar legislation by most of the other states in the U.S. In 2003, the California legislature passed the California Online Privacy Protection Act which came into force in July of 2004. This required websites to publish their privacy policies and share information about how they collect personally identifiable information (PII) about California consumers. PII was defined to include name, street address, telephone numbers, email address, social security number (SSN), date of birth, or any other detail that could allow a consumer to be identified and subsequently contacted.
Consider the impact this 2003 legislation brought to businesses nationwide. California was the first state to implement such a law. Given the technical requirements for website enhancements to meet the law, it made little sense to try and implement it only for California citizens. California’s first-mover legislation ended up setting nationwide internet privacy standards.
In 2013, California passed legislation for the Privacy Rights for California Minors in the Digital World bill which went into effect in 2015. This legislation provided new online protections for minors, such that website operators that provide services will be required to permit minors to access and delete information that the minors posted. Once again, most website operators did not attempt to limit these protections to California minors, so the California model was once again adopted nationally as the de facto standard.
For U.S. business, it’s Deja Vu all over again. The California Consumer Privacy Act of 2018 legislation has set the bar higher for data privacy and in a way that most other states will soon follow. Your business must be ready to meet the requirements of this legislation in little more than a year. Are you on track to do so? How will your important applications like Office 365, Box, Dropbox, Google Drive, SForce, SAP SuccessFactors, ServiceNow, and others meet the compliance requirements by 2020? How will your custom cloud applications support this legislation?