In January 2020, the California Consumer Privacy Act (CaCPA) comes into force, with penalties exposing organisations to potentially large fines for wilful violations of data privacy. Inspired by the European-wide General Data Protection Regulation (GDPR) which came into force in May 2018, the CaCPA is expected to shake-up data management practices across America. The crux of the new law (just as with the GDPR) is the potential for huge fines, calculated per user violation, for selling the profiles of individuals who’ve asked that their information not be sold.
To illustrate the severity of potential fines, if applied retrospectively, this new law would impose a penalty of $US 61.6 billion for data violations belonging to the 24.6 million California Facebook users affected by the Cambridge Analytica scandal. If the breaches were viewed as intentional, fine calculations are steeper, coming in at a potential $US 184.7 billion. With the Guardian reporting Amazon admits to investigating large scale theft of deliberately sold email addresses of product reviewers, by its own employees, it is clear the GDPR and CaCPA laws are needed to ensure a company has your consent.
GDPR is more than just Europe
With this news from across the pond, it is as if the west has united over one idea. A cultural course correction. The wondrous vision of Tim Berners Lee, that the whole world could share information and ideas has run into a snag. Consumers are annoyed about the indiscriminate theft of their data.
To borrow from the field of economics, to make a desirable product, a data-set example must have value. If a company stores information on 40,000 ticket purchasers, it could tell you how old they were, and the type of ticket purchased by category. This information is useful and has a value.
When the data stays in the form ‘how many’, no one really has a problem with it being sold. We don’t mind if Wembley stadium learns to put on an extra date for our favourite pop-artist. What we do have a problem with, is the recent avalanche of ways to sell more of our personal data as a ‘product’. The provision of an email address or a mail address to prove ‘verified purchases’ with our other credit details, is all ending up as sellable data. With no law against it, companies have been doing it en masse.
At its core, the GDPR led the way in correcting a world-wide marketing mistake. Email or mail addresses, and other personal data cannot be sold like products unless the individual agrees to let the company sell it on. It’s a positive shift to ensuring consent is explicit and not implied. An email is a personal thing. Particularly if linked to payment details and verification aspects, like a personal signature, or your fingerprint. You own it. If you want to give it away for free that’s your business, but no-one is allowed to just steal it, anymore.
What will the picture be in 2020 California?
Many UK companies are coming to grips with the sheer volume of third parties they are dealing with, from offshore front-line support centres using cloud platforms, to supply chain users. Most still haven’t got to grips with how far the personal data they manage is shared and how far across the EU and EEA border it’s gone. It won’t be any different in the states, and there’s only a 30-day leeway period for companies with Californian people as part of their data set to get compliant before the fines can be imposed.
Many people think it’s only about consent. It is more than this. It’s about the lawful basis of processing and how you protect people’s data. With a recent survey of 1,021 UK businesses revealing 37% are still not following the GDPR, it’s no surprise as to why. How consent management sits within company cultures and the interdependencies of systems and people can be incredibly challenging. Is it a compliance issue or a technology issue? Or both?
By by Paul Tarantino, CEO, Consenteye
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.