Privacy Laws Will Soon Be Inescapable
The GDPR has been attracting attention because of its far-reaching impact on data privacy and security, but it’s not the only regulation you should be watching.
- By Lisa Loftis
- October 12, 2018
It’s time for enterprises to sit up and take notice of privacy laws. Consumers already have.
In a post-General Data Protection Regulation (GDPR) survey, 56 percent of U.K. consumers say they have either already exercised their rights to data protection or plan on doing so within the year. These consumers’ concerns are more about trusting companies to use their data properly than about having them protect that data from unauthorized access.
Respondents are most likely to activate data rights if they receive unwanted emails (56 percent), discover their data has been sold without their consent (54 percent), are subjected to inaccurate profiling (52 percent), or find that the information held about them is wrong (52 percent). This is compared to only 38 percent who said they would express their rights due to a data breach or privacy infringement.
The much publicized Facebook and Cambridge Analytica news catapulted the consequences of data misuse onto the global stage prior to the implementation of the GDPR and served as a catalyst to get people thinking about how they want companies to treat their personal data. It also spotlighted the wave of personal data protection regulations sweeping the globe right now.
Privacy Laws to Watch
Just how far will these regulations reach? Everywhere -- sooner rather than later -- and every enterprise needs to pay attention. Here are a few regulations other than the GDPR to pay attention to.
The EU ePrivacy Regulation
The ePR is an extension of the GDPR and applies to all electronic communications and digital data. The regulation was developed because the volume and complexity of digital data are increasing exponentially and the environment for generating, storing, and consuming these emerging data types can be quite different from more traditional data formats that the GDPR covered.
In some cases, the ePR describes how the GDPR’s protections should be applied to electronic communications data. In others, it adds restrictions not found under the GDPR. In all cases, the intent is to create a single unified regulatory platform between the GDPR and the ePR for handling personal data, whether digital or traditional.
Areas the ePR tackles include:
- Consent. The ePR follows the same definition as the GDPR for what constitutes valid consent but extends this to electronic communications data, direct marketing communications, and access to end users’ terminal devices (phones, wearable devices, gaming consoles, etc.).
- Cookies. Although the ePR will allow the use of first-party cookies for analytics, it imposes severe restrictions on the use of third-party cookies. Under the regulation, companies will have to obtain specific consent for social plug-in and third-party cookies used for behavioral advertising as well as third-party analytics.
- Communications data and metadata. The ePR distinguishes between digital communications content (what was said) and digital communications metadata (type of communication, length, location, involved parties, devices involved, etc.). It limits the ability to access the processing and storage of terminal devices (e.g., phones) to collect metadata and to implement tracking options such as cookies. Metadata usage is limited to statistical counting, requires data to be anonymized or deleted immediately after the function it was collected for is complete. Users also have the ability to object.
The ePR was originally intended to roll out alongside GDPR, but implementation has been postponed as industry groups seek to negotiate a loosening of the original terms. Despite the delay, all indications from the EU are that the ePR will become law at some point.
This regulation exemplifies how personal data protections have already expanded past EU boundaries. Privacy Shield was developed in 2016 between the EU and the U.S. as a direct result of the GDPR stipulation that the personal data of people living within the European Union can only be transported to countries that have stringent data protection laws. Its intention was to enable U.S. companies to satisfy these requirements by certifying that they comply with a framework of agreements including:
- Identified obligations for companies in the U.S. to protect personal data that relates to people living within the EU
- Stipulations that personal data is used for specific purposes, with no general access available
- Provision of protection and redress available to citizens of the EU
To date, some 4,000 U.S. companies including technology giants Google, Facebook, Amazon, and Microsoft have certified under Privacy Shield. Unfortunately, despite significant work by both the U.S. Department of Commerce and the European Commission to develop the Privacy Shield framework, the European Parliament has recently called for the suspension of the agreement.
This move is due in part to concerns around the trajectory of U.S. legislation stripping away previously agreed privacy protections for non-U.S. citizens. Although both sides are continuing to work toward keeping the agreement in place, companies in the U.S. could see significant negative impacts if the GDPR stipulations are not satisfied by Privacy Shield.
California Consumer Privacy Act of 2018
This is the first of what experts from the Forbes Technology Council predict will be a wave of similar legislation comprising “a wake-up call for everybody in tech.” They see it leading to the adoption of “data privacy as a civil right” and yielding “stricter privacy laws worldwide.” With a go-live date of 2020, this law mirrors many of the GDPR data protections for California residents and extends those protections not just to people in their roles as consumers but also as employees, patients, tenants, students, parents, and children.
The Bottom Line
If your company processes personal data, the question is not if data privacy laws will affect you but when.