F E AT U R E
Changing Consumer Privacy Laws: What You Need to Know
fter several years of high-profile data breaches and growing use (and abuse) of personal information by a variety of public and private organizations, 2018 was the year that consumers began to say, “No more.” On May 25, 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) to immediately give residents in European countries unprecedented control over the use and ownership of their own personal data. Instituted to thwart the misuse of data by large digital entities like Facebook and Google, the penalties put into place by the EU for organizations found in violation of any of these consumer rights were intentionally severe—up to 4 percent of annual revenue. In 2019, British Airways was forced to pay $230 million for one breach of 500,000 records; Google and Facebook are facing potential fines up to $5 billion.
The impact of GDPR in the U.S.
Consumer rights under the CCPA
Here in the States, the impact of GDPR was relatively uneventful, since it only protected European consumers. To be on the safe side, U.S. companies with the potential to sell to customers in the EU instituted a flurry of new Privacy Policies and End User Licensing Agreements for consumers to acknowledge.
The CCPA extends many of the same protections in the GDPR to residents of California, including:
In the spring and summer of 2018, web users may have also noticed a barrage of new pop ups that appeared in their browsing sessions, expressly allowing websites to place cookies on their computers and devices, to adhere to GDPR guidelines. Although GDPR only protects European consumers, the American public and state legislators were asking for similar rights and protections in the U.S. So on June 28, 2018—barely a month after GDPR went into place—the California Consumer Privacy Act (CCPA) was signed into law, with protections due to be implemented starting January 1, 2020.
The right to request a copy of every piece of data an organization might have about you. Companies have 45 days to comply. In the case of one 10-year Facebook user, this amounted to 277 megabytes (MB) of data! The right to “be forgotten,” forcing an organization to erase any trace of their personal data The right to opt out of companies storing or sharing their personal information with other organizations For organizations that purchase third-party information, consumers have the right to know what information was purchased, who they bought it from and who else it might have been shared with.
9
