Businesses can no longer ignore the importance of data privacy. In this blog post, we round up the questions our data privacy services team hear most often, combined with data from Google Trends, to reveal the most prevalent concerns and areas of most confusion.
Q1: What is the significance of the CCPA, and when does it come into effect?
The California Consumer Privacy Act (CCPA) is a bill aimed at increasing the privacy rights and consumer protection for residents of California, United States of America. The bill was signed into law on June 28, 2018 and became effective on January 1, 2020.
The aims of the Act include allowing individuals to
- Find out if, and what, personal data has been collected about them.
- Find out if their personal data is sold or disclosed to a third party.
- Find out who their personal data has been sold or disclosed to.
- Put a stop to the sale of their personal data.
- Access their personal data.
- Ask a business to delete any personal information they have about them.
- Not be discriminated against for upholding their privacy rights.
The significance of the CCPA is threefold.
Firstly, the companies that are in scope are inherently larger ones. The data privacy law affects all companies that serve California residents and meet any of the following criteria:
- Exceed $25 million in annual revenue.
- Hold personal data on at least 50,000 people.
- Collect more than half their yearly revenues from selling personal data.
It’s important to note that the law applies to any companies that “serve California residents”, meaning that the companies affected can be located anywhere in the world as long as they provide their services in California.
Secondly, the law is significant because of its jurisdiction. Some of the world’s largest companies (Google, Apple, Disney) are based in California, and their handling of sensitive data will now be under intense scrutiny.
Thirdly, it is currently “the nation’s most far-reaching online privacy law and a potential model for other states”, according to the Washington Post. This means that while its impact and enforcement will be closely monitored for other states to follow, the very fact that it will likely create disparate data privacy laws from state to state may accelerate the ongoing conversation about the need for a federal data privacy law to avoid data privacy becoming a blocker to business.
Q2: Who has been fined under GDPR so far?
Since the General Data Protection Regulation (GDPR) came into force on May 25, 2018, businesses across the world serving European citizens have been held to new standards of data handling.
The steep financial penalties possible under GDPR have provided an incentive for companies, big and small, to introduce new policies and infrastructures to ensure their ongoing adherence to GDPR. Many have also taken the decision to contract GDPR-qualified experts and Data Protection Officers to help them navigate this difficult change. However, not all businesses have implemented the necessary changes in time, and have thus faced heavy fines from the Information Commissioner’s Office (ICO). These businesses include:
- Google – fined €50m for a ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation’ according to the French data regulator CNIL.
- TIM – Telecom Provider – fined €27,802,946 for unlawful data processing and a non-compliant aggressive marketing strategy, among other unlawful data collection processes.
- Austrian Post – fined €18,000,000 for using customer data, including ages and addresses, to calculate the probability of which political party they might support, before selling this information to third parties.
…but there have also been far smaller fines handed to SMEs, undermining the argument that the Supervisory Authorities are only targeting large corporates. Examples include a 9,000 euro fine of a Spanish business that was using video surveillance of its employees without consent, a similar fine for a Cypriot government agency for allowing the police access to personal data without sufficient security, and an 18,000 euro fine for a Swedish school that used facial recognition for monitoring attendance, but did not provide suitable opt-out processes.
Q3: Who does GDPR apply to?
A common misunderstanding is that GDPR only applies to companies with offices or employees in companies belonging to the European Union. GDPR is designed to protect EU data subjects from unacceptable uses of their data, whether the company holding their data is based in the EU or not.
The real test is whether a business is offering services to the EU market, or is monitoring an EU data subject’s behaviour within the EU. if so, then their activities fall within the scope of GDPR regardless of their geographical location.
“Offering services to the EU market” is admittedly not clear and open to misinterpretation. To help, the European Data Protection Board (EDPB) has provided some examples of indicators of which territories an organisation is targeting, including:
- Accepted currencies for payments
- Languages of marketing materials
- The locations where services can and cannot be shipped to
Q4: Why is data privacy important?
Data privacy is one of the fastest growing business issues on the planet, encompassing businesses of all shapes and sizes across every industry. Data has never been a more powerful or valuable commodity, and the proper handling of data (consent, notice, and regulatory obligations) is becoming increasingly regulated.
This is because the issue of data privacy has become a highly emotive and sensitive topic for data subjects, as the uses of data become more and more adventurous, personalised and at times, intrusive.
In fact, the importance of data privacy lies, for many, in its morality; keeping private data safe is seen as the ‘right thing to do’. Data ethics dictates that individuals should have agency over how their data, including how well it is protected, how much is given away, under what circumstances and for how long – much like physical property.
For data-intensive businesses, it has had some dramatic effects on their data regimes and, in some cases, even restricting their business models, such as curtailing the free use of automation or the collection and exploitation of data for marketing purposes.
Nevertheless, data privacy also brings massive opportunity. If data privacy is done right – or more specifically, if privacy by design is rolled out – then there are significant opportunities that come from a better understanding of the condition, location, source, use, importance and sensitivity of every piece of data.
By making your data well structured, visible and based on firm ethical and regulatory grounding, you can be more confident in your authority to use it and apply it to achieve your goal. The applications of data are endless, and if privacy is implemented by design then the business can leverage it in automation and machine learning experiments that improve marketing, sales and general business operations.
Q5: What is Privacy By Design?
Privacy by Design is a concept designed to guide businesses into becoming more proactive regarding data privacy. Built on seven principles, the concept sets the standards for how data privacy should be built into projects, processes and everyday activities. These seven principles are:
- Proactively anticipating privacy-invasive events .
- The maximum degree of privacy should be delivered by default .
- Privacy should be incorporated from initial designs rather than added retrospectively.
- Data privacy should not come at the expense of full functionality.
- IT security across the entire lifecycle, from data collection, through to storage and eventual deletion.
- Transparency at all times. All stakeholders should be informed of how data will be processed, stored and erased.
- Data subjects should be given every opportunity to uphold their privacy rights .
Privacy by Design is important because it is not simply a framework to aspire to, but rather a necessary guideline for complying with privacy laws such as GDPR and CCPA. Public bodies like the ICO mandate that data privacy be upheld to the highest degree at every stage of a project, else face heavy financial penalties.
By incorporating these seven principles, businesses can ensure that they are treating their data subjects legally, fairly and ethically. Whether you are building a new IT system for storing personal data, developing policies that have privacy implications or looking to share data more actively with third-parties, Privacy by Design ensures that you remain privacy compliant from the very start.