Corporations that have been understandably focused on the tight labor market, the pandemic, civil unrest, and stimulus economics, might have missed the other big business story of 2020-2021: data privacy.
While federal legislation akin to Europe’s General Data Protection Regulation (GDPR) has stalled in Washington, state legislatures have been making significant and rapid strides towards data privacy regulations. There are two ways to view these moves – a new and important compliance area for businesses to pay attention to, and the emergence of a new privacy industry.
“There is no doubt that data privacy regulations will transform data-driven businesses as we know them,” claims David Ritter, CEO of Privacy Lock, a data privacy solutions company. Privacy Lock is also a member of the International Association of Privacy Professionals and the NIST Privacy Workforce Public Working Group Agenda. He adds, “The next decade is likely to be dominated by privacy concerns and privacy reforms by governments and businesses all over the world.”
Most businesses collect information about their consumers, whether it is the consumer’s name and address, or more sensitive information like payment information and social security numbers. Collecting any information on consumers can trigger privacy compliance considerations. Privacy laws like the California Consumer Privacy Act (CCPA), the Colorado Privacy Act, and others are empowering individual consumers to assert control over their personal information. Businesses really need to think about compliance strategies, because these regulations come with teeth in the form of financial penalties.
For those who doubt the rapid rise of data privacy legislation, take a look at the map below, showing data privacy legislation by state. Almost every month in 2021 has seen new state legislatures introduce or debate privacy regulations.
Data privacy considerations are not trivial. Managing consumer information in accordance with regulations will touch every facet of a business’s data systems: from data collection, to processing, to CRM and ERP systems, to internal business operations.
Most businesses use data systems to manage operations, track inventory, process payments, and to manage customer relations. In fact, businesses are becoming more reliant on data-driven business models, not less. This means privacy concerns are accelerating, creating signifiant challenges for businesses to comply. The challenges are compounded by the fact that state-level regulations are creating an environment with a patchwork of different privacy laws across jurisdictions. Critically, these regulations apply based on where the consumer resides, not where the business is headquartered. For a business with consumers across the country, they may soon need to implement 50 different compliance processes for 50 different state regulations.
Because data privacy management is non-trivial, businesses are looking to new software solutions to resolve privacy considerations in their existing data systems. As mentioned above, these solutions are spawning a new industry around data privacy. “Privacy Lock is the first data privacy solution on the market that is turnkey and offers privacy compliance capabilities across jurisdictions,” explains Mr. Ritter.
Financial penalties for companies that fail to comply can be quite steep. In the case of California’s CCPA, the first sweeping privacy bill in the U.S., violations range from $2,500-$7,500 per incident. That can quickly add up for companies with lots of consumers. Large corporations are likely to be easy targets for the California Attorney General’s office.
To highlight the wide reach of CCPA, last month Rob Bonta, the California AG, sent CCPA-related enforcement letters to advertisers, social media sites, data brokers and ad tech firms, establishing that data tracking for advertising and analytics purposes, including cookie-based tracking, fits within the CCPA’s definition of a data sale. If the state prosecutes a violation per each cookie, it could have a material impact on the bottom line of large companies. Bonta’s letter should serve as a wake-up call especially to Fortune 500 companies that data privacy compliance should be taken seriously.