Hacks of company databases are on the rise. Users are slowly becoming aware of the amount of control companies have over their online data.
Driven by these changes, customers are beginning to change their attitudes toward privacy and personal information. Just in the past few years, lawmakers have taken the first steps toward imposing new privacy regulations on online businesses, which have traditionally been almost entirely unregulated.
Many businesses -- especially small ones -- may find these changes overwhelming. The following is a brief guide to some of the more significant legislation that's passed or been proposed, as of February 2019. As always, if you have questions about how these laws apply to your business, it's best to check with a lawyer.
The European Union's General Data Protection Regulation (GDPR) has forged the way for many privacy bills to follow. While it only affects residents of the EU, many companies that do business internationally will need to adhere to its regulations.
The GDPR is a sweeping set of laws, reinforced by hefty fines for infractions. The regulations' implications are too broad to explore here in depth, but here are some of its key principles:
- Companies must give users details about how their information is collected and used, in plain language. They must gain affirmative consent.
- Within 72 hours of a data breach, companies must notify users.
- Users have the right to know what personal information a company is collecting on them, and how it's being used . They can receive a copy of that information if they request it.
- Users have the right to request their data be deleted from a system, and that any processing using that data stop.
The California Consumer Privacy Act
Governor Jerry Brown signed the CCPA into law in 2018, and it's some of the most sweeping privacy legislation that's passed in the U.S. While the law specifically protects citizens of California and only affects larger businesses, it's likely these regulations will transform American industry generally.
The CCPA takes effect in 2020 and establishes the following rights for Californians. Breaching any of these may incur a fine.
- Californians have the right to know what personal data companies are collecting about them, and to whom (if anyone) these companies are providing this information.
- They have the right to access their personal information, and say no to its distribution.
- They have the right to equal services, even if they exercise their privacy rights.
The American Data Dissemination Act
In January 2019, Senator Marco Rubio introduced a bill called the American Data Dissemination Act, or ADD. While it hasn't passed yet (as of February 2019) and may still undergo revisions, it requires the FTC to send Congress recommendations for consumer privacy regulations, which would resemble the Privacy Act of 1974. Congress would then turn these into law (or the FTC could, if Congress fails to act).
The Social Media Privacy and Consumer Rights Act
Senators Amy Klobuchar and John Kennedy teamed up to introduce the Social Media Privacy and Consumer Rights Act in 2018. This law mirrors many requirements put into place by the GDPR: it requires companies to notify users of how their data's collected and used. Users must have options for various privacy settings and companies must notify users within 72 hours if the company experiences a data breach. As of February 2019, this bill hasn't passed and remains in committee.
Laws like the GDPR and CCPA have the power to transform how companies gather and use customer data. More potential regulations are on the horizon. By staying abreast of regulations as they pass, you'll be able to collect and use your customers' data to improve their experience, in a legal, ethical way.