How to Prepare for New Legislation
Privacy is no longer a niche specialty or one-off discussion reserved for big companies with big resources. Mitzi Hill, a cybersecurity and data privacy attorney at Taylor English, discusses recent cybersecurity legislation that just passed in California and what companies big and small, local and national can do to ensure compliance.
Until 2018, there was very little regulation of consumer privacy in the United States. Other than financial services and health care, companies in most sectors were free to collect and use information about customers with virtually no restriction, and there was no requirement that employee or customer information be kept secured. This left companies in the U.S. free to collect and use information virtually without restriction and to not spend time and money investing in keeping customer and employee data secured, confidential and private.
2019 is a year of change – or at least it should be – regarding how U.S. companies treat the privacy of their employees and customers. The rules and norms are changing. Although some changes are required by law – and those requirements will apply to far more companies by 2020 – the fact is that marketplace expectations are likely to drive changes in best practices, even where the law may not require them. Smart companies will take 2019 as an opportunity to plan for privacy and tout it to customers and employees as a differentiator. For smaller companies that have not taken advantage of privacy planning before now, 2019 is the year to find ways to make privacy profitable.
Legal Changes Required
You may know that the European Union passed new privacy laws that took effect this year, rules that specifically apply to U.S. companies and carry stiff fines for noncompliance. Because the rules only concern U.S. businesses that “target” the EU, a lot of smaller American companies have been able to take the calculated risk that the rules do not apply to them. As a result, many companies have carried on without making significant changes to their privacy practices.
In 2020, this is likely to change. California has passed a new privacy law, the California Consumer Privacy Act (CCPA), that reflects many of the same ideas embodied in the EU laws, including:
- A consumer privacy “bill of rights,” including the right to opt out of having one’s personal information shared for commercial purposes;
- Steep fines for failure to secure personal information from data breaches;
- Extremely broad definitions of what is considered personal data that must be protected, and in which consumers have rights; and
- A requirement to be up front about what information a business collects and how it uses that information.
The CCPA has several important differences from the EU laws, but the concepts are similar. One important distinction is that the CCPA gives very clear and low threshold requirements that spell out what companies are subject to the law. Those requirements will ensnare a lot of small and medium companies with customers or employees in California; this will include many businesses with sales or an internet presence there. Because the CCPA is here in America, it will also be harder to dodge when it comes to visibility and enforcement than the rules from the EU.
In reaction to the CCPA, there is mounting pressure in Washington, D.C. to pass a federal consumer privacy law – and thus avoid a 50-state patchwork that would make running any national or regional business difficult. It is unclear how much traction a federal law might get in the short term, but it is very clear that California is the first domino to fall and that U.S. companies should expect possibly more onerous regulations to come. Coupled with the EU rules, which already affect many internet users, the expectations that employees and customers have about their privacy are very likely to change. Being ahead of both the expectations and the legal requirements is smart planning.
What can you do?
What does this mean in terms of best practices?
At a minimum, U.S. companies with a website should examine it and ensure that it meets the disclosure requirements and opt-out regime of the CCPA. Likewise, they should revamp any customer-facing materials, such as privacy policies.
Taking all these measures together, it is wise to raise awareness with employees about how the company handles private data, data loss and breach and confidentiality. This can take place with new policies (such as a personal information processing policy) and training.
Reap the Value
Any U.S. company that takes privacy seriously and is on the leading edge should start talking about its philosophy with customers, employees and the marketplace. Use “European-style privacy commitments” as a selling point regarding your services. Make your website transparent and easy to use. Give consumers tools that allow them to see what you have collected and to opt out of its use.
Right now, all privacy inquiries are handled as one-offs. Plan for the day when they are routine enough that they should be automated and self-serve. For corporate customers, make affirmative efforts to demonstrate compliance with CCPA and EU rules, rather than responding piecemeal to their security surveys and RFP and audit questions.
The final point in this chain is to ensure that investors and potential buyers know of your efforts. Privacy and data security are fast becoming a standard part of the due diligence on any transaction. Having addressed them will make you a better target. Planning ahead and having these measures grow with your business – as opposed to implementing them only when you reach a certain scale – will also make you ready for any new opportunity those investors may bring. Privacy can profit you, if you know how to capitalize on it and make it easy for those in your ambit to gather information and to take new steps.