A New Landscape for 2020: How Businesses Must Respond to New Data Privacy Regulations

Around the country, sweeping data privacy regulations are compelling businesses to rethink every aspect of their data governance capabilities.

If your organization complied with General Data Protection Regulation (GDPR) standards set by the European Union in 2016, you may have a head start. However, compliance with the GDPR will not be sufficient for compliance with the new state regulations. If your data lifecycle management process hasn’t changed in recent years—or if you never had a holistic, company-wide process to begin with — it’s time to stop kicking that can down the road.

Our new infographic shows you how three states are changing their data privacy landscape. You’ll also see steps your company can take to avoid unexpected penalties in the future.

California Consumer Privacy Act (CCPA)

• Enacted in 2018, the California Consumer Privacy Act (CCPA) requires transparency concerning the hosting and exchange of personal data, which includes a range of individual, or household, identifiers.
• As of July 2020, companies have 30 days to comply once notified of a violation; otherwise they are subject to civil penalties of up to $2,500 per violation and $7,500 per “intentional violation.”

Act to Protect the Privacy of Online Consumer Information (Maine)

• Maine’s Act to Protect the Privacy of Online Consumer Information requires broadband internet service providers (ISPs) to obtain customer consent before selling or sharing their data with a third party.
• While the CCPA gives customers the right to opt-out, Maine’s law prohibits ISPs from using customer data unless the customer opts in.

Stop Hacks and Improve Electronic Data Security Act (New York)

• The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires any businesses that maintain New York residents’ private information to take concrete steps intended to prevent data breaches.
• To comply, businesses must take reasonable protective measures, including:
  • risk assessments
  • workforce training
  • incident response planning and testing
• Failure to implement a compliant program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties.

Federal Privacy Laws

The United States does not yet have a comprehensive federal-level privacy law that reaches the scope of the GDPR in the European Union. Still, there are several vertically focused federal laws that businesses must be aware of if they deal with private consumer data. These include:

• Privacy Act of 1974: Gives individuals a way to access and correct their records, and sets forth various agency record-keeping requirements.
• Health Insurance Portability and Accountability Act (HIPAA): Regulates the collection and disclosure of patient health information and requires health care providers to protect data from unauthorized use.
• Children’s Online Privacy Protection Act (COPPA): Enforced by the Federal Trade Commission, outlines the appropriate use of information of children under the age of 13.
• Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to protect customers’ data by limiting how information is shared with third parties.

Steps Toward Compliance

Your organization’s data quality and data governance team should discuss your approach tomanaging data assets. A methodical approach to making sure your organization is compliant will involve the following process:

• Determine how much data exposure is present in your environment and which state/federal rules apply to your business.
• Determine who in your organization needs to be involved and to what extent.
• Identify the utilities and software solutions needed to facilitate compliance.
• Identify the processes required to move toward compliance and the options you have to maximize your investments.
• Build a roadmap toward compliance with minimal requirements and timeline.