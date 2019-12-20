Loading...

GDPR a year later: the challenges that organizations still face

While GDPR celebrates its year of existence, Tonya Hall speaks with Peter Yared, founder and CEO of InCountry, to learn more about the difficulties companies have faced in the last year while trying to maintain compliance with data security.

Next on the list of governments determined to demonstrate their efforts to enforce strict data protection standards is California. On January 1, 2020, the California Consumer Privacy Act (CCPA) will take effect, and the new rules are setting the bar higher than anywhere else in the US. UU. For companies that collect and share personal data.

Historically, Golden State has been a pioneer in data protection: in 1972, voters added privacy to the list of inalienable rights of the people of the California Constitution, right next to the right to enjoy life and freedom, own goods or obtain security and happiness.

However, the text of the new bill recognizes that California law has not kept pace with new technologies: "the proliferation of personal information has limited the ability of Californians to adequately protect and safeguard their privacy," reads .

That is why the CCPA was proposed. But what are the new rules, who will they affect and how can companies make sure they comply?

How did the CCPA come about?

The new rules were promulgated by the state governor, Jerry Brown, on June 28, 2018, after a somewhat unusual process. California citizens can effectively propose that new laws be voted on in future ballots if they obtain enough signatures in a petition for the initiative, and in 2018, a petition that urges the government to consider drafting a privacy law collected 629,000 signatures.

Once voters approve a citizen initiative, it becomes law and cannot be modified. To avoid a vote that leads to a privacy law that could never be refined and adapted, therefore, legislators drafted the CCPA in a hurry and approved it just before the voting deadline was closed.

This has led some to argue that the new rules were rushed. Lothar Determann, a partner at the law firm Baker & McKenzie, told ZDNet: "The law came out of a few days of negotiations. It was not thought completely and I think it may have unwanted consequences."

The good news is that the CCPA, by nature, is not definitive, so be aware of this space for future developments.

What are the key principles of the new law?

The main objective of the CCPA is to give Californians more control over their personal information, granting them a series of fundamental rights: knowing what personal information is collected about them; to access this information; know if it is sold and to whom; request that your personal data be deleted and refuse to allow it to continue selling; and receive the same service and price, even if they have exercised the previous right of exclusion.

That citizens should not suffer higher prices or worse service as a result of their privacy options is exclusive to the CCPA, and it means that some companies may have to rethink their business models, for example, if they relied on data monetization to offer online services. free.

The new bill also provides additional security for minors, by prohibiting companies from selling the personal information of consumers under 16, unless specifically authorized by the minor or his parents.

Which companies are affected by CCPA?

Companies must ensure that they comply with CCPA if they meet two conditions. The first is, as is understandable, that the company collects or participates in the processing of personal information in California.

If, in addition, the annual gross income of a company exceeds $ 25 million; or if the company processes the personal information of at least 50,000 consumers, homes or devices every year; Or, if you get 50% or more of your income from the sale of personal information from users, then the company must comply with the CCPA.

The new bill has a broad definition of "sale of personal information," which also includes sharing data in exchange for "valuable consideration." This means that some companies, which do not seek financial compensation for sharing personal data, may find that they still fall under the definition of "sale" of the CCPA.

For example, Determann explained, an employer that pays a service to manage payroll may not see the transaction as "sale" information; and, however, it may be under the CCPA definition of the term. This in turn means that employees could, in theory, choose to stop selling their data.

"The definition of selling in this law captures not only the transfer of information for money," he said, "but also the information obtained from the exchanges, which occur all the time for commercial or government planning. It is a broad definition that we need to think about. in."

What is personal information under CCPA?

Essentially, anything that can identify or be associated with a particular consumer or home. Think of names, nicknames, addresses, passport numbers or social security numbers, but also geolocation data, information related to employment or education, and physical and behavioral characteristics.

There are some exceptions: personal information does not include any data that is already publicly available from government records. In addition, the law does not apply to protected health information, which is already the work of other California laws, or to any financial information already regulated by the federal Gramm-Leach-Bliley Act.

The CCPA has a broader definition of personal information than other existing privacy laws. In Europe, for example, the GDPR does not include data that can identify a home.

So what will companies have to do to comply with CCPA?

There are a number of steps that companies must take to ensure that customers can exercise their rights, and begins by ensuring that users have the means to request access to their personal information. The law requires at least two ways of doing so, including at least one toll-free number.

When users request to see their personal data, they must be granted access within 45 days. And if customers request the deletion of their data, companies have to comply. However, there are exceptions if the information is necessary to detect illegal activities or if deleting the data prevents freedom of expression.

The CCPA also states that companies must warn customers that they are selling personal information, if they do, and provide a clear link on their website entitled "Do not sell my personal information" so that users can opt out if they wish.

Once again, the rules seem stricter than the GDPR, which gives people the right to restrict or object to the processing of their personal data, as well as to erase them, but only in certain circumstances. European law clearly indicates that these rights are not, in fact, "absolute."

How can companies really prepare?

Companies are expected to comply as soon as the law takes effect on January 1, 2020, only a year and a half after the approval of the CCPA. "A year and a half is not a long time, as anyone who has been working on compliance with the GDPR of the EU knows," said Determann.

He explained that the first thing companies should do is find out if they are selling personal information, as defined by the CCPA, and determine if they can change their business model to avoid exchanging information in exchange for "a valuable consideration."

Otherwise, companies should ensure that they have detailed inventories of personal information belonging to California residents that users can access. In addition to creating free telephone lines and "Do not sell my personal information" links, companies must update their privacy policies with the description of the new Californian rights.

Last but not least, companies will have to intensify their efforts to avoid data breaches through stronger security programs.

What happens if a company does not comply?

The violation of the CCPA can cost companies up to $ 7,500 per violation. Unauthorized access to personal data, or data breaches, is also punishable by law. In the case of data theft or exfiltration, companies are responsible for fines of up to $ 750 per consumer per accident.

Therefore, the bill is likely to push companies to practice data minimization, which involves removing any information that has been collected and that is not essential. Determann recommended that companies review their collection and retention strategies to decide if they can delete more data.

What about other laws?

The CCPA is not the only privacy bill that exists, not only in California but also throughout the United States. Different states, for example, have different laws on notification of data breaches. Inevitably, there will be times when the new rules will collide with the old ones.

Determann argued that it is necessary to harmonize the "dozens of existing privacy laws" that create "unnecessary complexities" inside and outside California, and the CCPA also recognizes the problem.

In case of conflict with another law, it establishes the new bill, it is the one that grants "the greatest protection for the right to privacy of consumers" that it will control.

It is likely that, as the new rules take effect in California, the question of whether a federal privacy law in the US is needed. UU. "I think having national privacy legislation is a hope that many have, either against the CCPA or in favor," said Determann. "And in any case, the CCPA will strongly influence any future legislation."

Whats Next?

Whether they were motivated by the new California privacy law or not, other states in the United States have been working on their own laws.

Last May, for example, Nevada passed an amendment to its online privacy law, which requires companies to offer users not to sell their personal information, although the definition of "sale," unlike the CCPA, It is limited to monetary records.

New York also proposed a privacy law this year, based on principles similar to those of CCPA. However, in both Washington and Texas, privacy bills were not approved.

The CCPA, although now about to take effect, could be subject to changes in the future; and experts like Determann think it should. He argued that the law should adapt better to the needs of some companies, particularly those that rely on more, not less data, to implement technologies such as artificial intelligence or autonomous cars.

Eric Goldman, a law professor at the University of Santa Clara, echoed his concerns and said that the CCPA was drafted taking into account a limited number of use cases, but that, however, "applies to thousands of others. Industry niches that had no voice during the drafting process and now must comply with a law that is poorly adapted to their problems. "

For Determann, ultimately, it all comes down to defining what is best for the consumer. "We have adopted many innovative services, which would probably never have gained critical or developed mass if companies had to rely on consumer fees for the initial launch," he said.

"All of us in California and elsewhere should carefully consider … how much we value free services versus data regulation."