2018 was a breakthrough year for internet privacy laws. In May, the European Union’s General Data Protection Regulation (GDPR) went into full effect, sending the digital business world scrambling to get in compliance.
Then, during the summer, the United States got in on the action with the adoption of the California Consumer Protection Act (CCPA), an effort that will make a huge impact one year from now. And we still haven’t talked about the EU-U.S. Privacy Shield, ePrivacy, or the CLOUD Act.
Despite the headlines, a recent GetApp data privacy survey of small businesses found that a whopping 65 percent of respondents felt their company was only somewhat prepared or simply not prepared to comply with data privacy regulations.
Small businesses must endeavor to stay ahead of the data privacy curve by maintaining awareness of current regulations and anticipating those that are on the way.
In this article, we’ll review GDPR, explain CCPA, and catch you up on other relevant regulations. We’ll also provide a list of recommendations to help your business stay in compliance.
Internet privacy laws gain momentum in 2018
The rise of internet privacy laws in 2018 occurred in the context of public trust that has been eroded by continual reports of massive data breaches and manipulative online marketing practices. These events have frustrated consumers; 83 percent of Americans feel that technology companies need more regulation.
In March, the Cambridge Analytica data scandal erupted when a whistleblower came forward claiming the profiles of 50 million Facebook users had been harvested—a number that would later rise to 87 million.
This led Facebook CEO Mark Zuckerberg to testify for two days before Congress about his company’s data privacy practices. More congressional testimony would follow from Twitter CEO Jack Dorsey and Facebook COO Sheryl Sandberg in September, and from Google CEO Sundar Pichai in December. Congress appeared increasingly ready to enact federal data privacy statutes in the United States.
2018 internet privacy timeline
A few notable internet privacy events in a year full of them
The General Data Protection Regulation (GDPR)
The GDPR is a European Union (EU) data protection law that went into effect on May 25, 2018. On July 20, 2018, it also became law in the European Economic Area (EEA), which comprises non-EU countries: Iceland, Norway, and Liechtenstein.
GDPR was enacted to regulate the collection, storage, and sharing of personal data on the internet. Data relevant to GDPR can include name, government ID number, browser cookies, IP addresses, location information, or social media: in other words, any data that identifies the user. It also governs data breach reporting and grants eight new rights to data subjects.
The 8 new rights of GDPR
|Right to be informed||Which type of data is being collected and how it is being used|
|Right to access||View or receive a copy of personal data that is being processed|
|Right to rectification||Request changes to information that is incorrect or incomplete|
|Right to erasure (i.e., Right to be forgotten)||Request the deletion of personal data in specified circumstances|
|Right to restriction of processing||Ability to alter previously given consent which might prevent further processing|
|Right to data portability||Obtain and transfer personal data from one service provider to another|
|Right to object||Object to specific uses of personal data such as for direct marketing or scientific research|
|Right against automated processing/profiling||Prevention of unauthorized automated processing of personal data|
Though it specifically protects users located in EU and EEA countries, GDPR’s ultimate scope extends around the globe. The regulation affects individuals, companies, and organizations anywhere in the world that process the data of users in the EU and EEA.
To be clear: GDPR is not concerned with citizenship. Rather it is concerned with users located in covered countries, whether they be citizens, visitors, or expats. Similarly, EU and EEA citizens are not protected by GDPR when conducting data transactions abroad.
This means that marketing your services, conducting transactions, and storing data relevant to users in these countries must all be done under the auspices of GDPR—or risk the consequences. Depending on the severity and frequency of violations, non-compliance with GDPR can result in steep fines, maxing out at 20 million euros or 4 percent of gross revenue, whichever is higher.
In spite of the worldwide impact and potential financial consequences of GDPR, a recent GetApp data privacy survey found that only 11 percent of respondents in the United States felt very familiar with GDPR. Nearly half voiced no familiarity at all.
California Consumer Protection Act (CCPA)
Passed on June 28, 2018, and currently scheduled to go into effect on Jan 1, 2020, the California Consumer Protection Act (CCPA) was designed to enhance the digital privacy rights of Californians. In a sign that data privacy is not necessarily a partisan issue, the CCPA was passed unanimously by California’s legislature.
Considering the state’s national policy influence and the fact that it is home to many of the world’s top tech companies, the legislation is poised to alter the data privacy landscape in the United States.
Commonly thought of as a mini GDPR, the CCPA has several unique features that separate it from its European counterpart. The CCPA goes slightly beyond the definitions of GDPR in that it protects data that can be “reasonably linked, directly or indirectly, with a particular consumer or household,” rather than simply the user’s information itself. And, much like GDPR, the CCPA grants several new rights for denizens of California
New rights under the California Consumer Protection Act
|Right to know||What information is being collected, whether it’s being shared, and with whom|
|Right to access||View personal data that is being processed and request its deletion|
|Right to say “no”||Power to formally opt out from the sale of personal information|
|Right to equal service and price||Ability to freely exercise privacy rights while still receiving equal service and price|
While GDRP applies to all processors of data, CCPA applies only to for-profit businesses that fall under any one of the following three categories:
- Annual gross revenues exceeding $25 million.
- Fifty percent or more of annual revenues result from the selling of consumer data.
- Buys, sells, receives, or shares the personal information of 50,000 or more consumers, devices, or households annually for commercial purposes.
CCPA penalties can reach $7,500 per violation, which adds up quickly: The mishandling of only 134 records could result in a $1 million fine. Additionally, the CCPA provides for individual and class action lawsuits against offending companies.
ePrivacy Regulation (ePR)
Commonly referred to as the Cookie Law, the EU’s ePrivacy Regulation (ePR) will sit alongside GDPR. It’s partially responsible for the ubiquitous cookie consent forms that you encounter all over the internet and will also regulate electronic communications such as unsolicited emails and text messages.
Sometime in 2019, what is currently known as the ePrivacy Directive—and as the Privacy in Electronic Communications Regulations (PECR) in the U.K.—will become the ePrivacy Regulation. At that time, it will go from uneven enforcement by individual member countries to uniform enforcement across the EU and the rest of the world where applicable.
The lead up to ePR has unfolded with less publicity compared to GDPR, but its rules will upend the current ad revenue-based business model of vast swaths of online companies and complicate the metrics used by most websites to target customers.
The legislation will limit the use of most cookies and require that users give explicit consent prior to their installation. Users will also be able to choose which types of cookies may or may not be installed.
Cookie consent form on Spanish music festival Primavera Sound’s website (Source)
Cookies are baked into your browser
A browser cookie is a small file that web pages store on your device. There are many types of cookies, including:
Session cookies are temporary and removed when a user leaves the website or closes their browser. These cookies do not collect information from the user and are generally intended to maintain website functionality from page to page. For example, session cookies allow you to keep an item in your online shopping cart without logging in.
These cookies will not be subject to ePR regulations.
Persistent cookies, conversely, do not disappear after a user leaves a website. These cookies stay attached to the user’s device until they expire or are manually deleted. They allow a site’s web server to recognize you and keep you logged in each time you return to a website.
Also known as permanent cookies, persistent cookies are also used to develop metrics such as movement through a website, frequency of return, and time spent on page. This helps site operators understand their visitors, customize advertisements, and make better decisions about site design.
These cookies will be subject to ePR regulations.
Third-party cookies covertly glom on to your browser through everything from banner ads to social media buttons. These cookies are used by advertisers to follow you around the internet and build a detailed user profile. Third-party cookies are why you get inundated with advertisements for French hotels on one website soon after searching for flights to Paris on another.
These cookies will be subject to ePR regulations.
EU-U.S. Privacy Shield
The EU-US Privacy Shield launched Aug. 1, 2016 and regulates the transmission of data from the European Union to the United States for commercial purposes. The framework is designed to make it easier to transfer the data of EU user data to U.S. companies for processing.
While joining the Privacy Shield is voluntary, it becomes enforceable under U.S. law once a company commits to the program. To join the Privacy Shield, U.S. companies can self-certify to confirm that their data privacy practices are in accordance with EU specifications. This allows U.S. companies to more easily maintain compliance with EU data regulations such as GDPR.
However, in the wake of the Cambridge Analytica scandal, the Privacy Shield has come under scrutiny. Many EU lawmakers feel that U.S. companies are not respecting the agreement and want it suspended.
The U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act
The Clarifying Lawful Overseas Use of Data Act (CLOUD) became law on March 23, 2018 and significantly impacts privacy law in the United States. The CLOUD Act establishes procedures for U.S. companies that offer electronic data services (e.g., cloud-based data storage companies, Software-as-a-Service providers) to turn data stored in other countries over to U.S. authorities.
This issue was central to the widely followed—and now moot—Supreme Court case U.S. v. Microsoft Corp (Ireland). In that case, the U.S. government was seeking private emails of Microsoft customers that were stored on servers located in Ireland.
Under the CLOUD Act, a warrant can be issued by the United States government, or the governments of qualifying countries that have entered into a reciprocal data sharing agreement, for a service provider’s customer and subscriber data stored abroad. This presents potential conflicts for companies that must adhere both to GDPR and the CLOUD Act.
For example, a U.S. citizen living in Spain who uses an American cloud service that stores data on servers in Poland causes that company to be subject to both regulations simultaneously. And while the act includes a provision to quash a warrant under specific conditions, it is yet to be seen how that will play out in practice.
The CLOUD Act has been the subject of controversy since its late inclusion in an omnibus spending bill without a hearing or debate. Concerns have been voiced that it pushes the limits of Fourth Amendment protections and that its reciprocal data sharing agreements might allow countries with poor human rights records to obtain information about political dissidents.
Recommendations to ease compliance
Even if your small business is not currently affected by GDPR, we recommend that you view it as a roadmap for compliance with the array of regulations it will inspire. This will help your company gain a competitive advantage over others that will be caught off guard when these laws inevitably arise.
Adopting sensible consent management practices and enhancing customer privacy can be a marketable feature that shows consumers you care about their data and will go above and beyond to ensure it’s protected.
Internet privacy in 2019 and beyond
Six full months after going live, not a single GDPR fine has been levied. However, this might be the calm before the storm with Gartner predicting that the first multimillion-dollar fine will be issued before 2020 (report available to clients).
Brexit, currently scheduled for March 29, 2019, could unravel GDPR’s protections for users in the United Kingdom. 2019 will also bring the implementation of ePR and require preparation for the CCPA’s debut in 2020. Several U.S. states are expected to enact new internet privacy laws, such as Vermont’s plan to regulate data brokers.
Furthermore, the United States will seat a very different House of Representatives in January, and politicians gearing up for the 2020 presidential election will begin looking for issues to galvanize the public—such as data breaches and dubious privacy practices.
And they’ll have a leg to stand on.
On Nov. 30, the Marriott hotel chain announced a data breach affecting 500 million clients, the worst breach of 2018 and one of the most significant on record. Compromised records included critical data such passport numbers, addresses, and dates of birth. Less than a week later, online question and answer website Quora announced a data breach affecting 100 million users.
Then, in mid-December, the New York Times capped a year riddled with data privacy headlines by publishing a pair of exposés detailing the invasive use of device location information and the sharing of personal user data among tech giants.
Parting thoughts from Tim Cook
On October 23, Apple CEO Tim Cook spoke before the European Parliament’s Data Protection and Privacy Commissioners in Brussels. During the speech he asserted, “We at Apple are in full support of a comprehensive federal privacy law in the United States.”
Cook then went on to list four essential rights to ensure data privacy:
“The right to have personal data minimized”
“The right to knowledge”
“The right to access”
“The right to security”
Those sound awfully similar to the tenets of GDPR and CCPA.
The momentum for data privacy isn’t slowing down anytime soon.
This article is part of an ongoing series about the business value of IT
The data privacy survey referenced in this article was conducted by GetApp in November 2018 among 153 small businesses with 100 or fewer employees. The qualified respondents indicated involvement in the decision-making process for software and technology in their organizations.