A study conducted by Pew Research Center found nearly eight in 10 adults in the U.S. were at least somewhat concerned with how companies use data collected about them. In the same study, only 6% of Americans said they understood what was done with the data collected about them by companies.
This study highlights the importance of privacy to the American consumer—and the lack of transparency many organizations have around data collection and use practices.
This is the first installment in a series of blog posts focused on understanding the basics when it comes to privacy—we’ll outline what you and your organization need to know to be successful when it comes to privacy regulations and data protection.
Privacy Regulations in a Globalized World
Thanks to technology, we live in a globalized world. A European Union (EU) citizen can shop online with U.S.-based brands, and someone living in New York can virtually visit a museum located in California without leaving their home.
“When we begin to talk about privacy regulations, it’s important to understand that different cultures have very different views on privacy,” said Swathi West, manager of healthcare and privacy at BARR Advisory. “Typically, Americans tend to be less concerned with privacy, while other countries have a stronger definition of privacy and stricter privacy regulations.”
The General Data Protection Regulation (GDPR) provides an excellent example of how privacy regulations affect a globalized, connected world. Since the GDPR is a regulation in the EU, American companies may think it doesn’t impact them if they have no presence in the EU or no EU-based employees—but many U.S.-based companies must comply with the GDPR if they offer goods or services to EU residents or monitor the behavior of EU residents.
“This reaches a lot further than many U.S. organizations may realize,” explained West. “For example, if your website is based in the U.S. but still attracts and collects data from European visitors, you must heed the GDPR.”
Understanding Key Terms
With so many privacy-related terms thrown around, what does “personal data” really mean? Personal data is any information connected to a person’s identity—this could include their name, job, religion, address, and more.
Processing personal data is defined as collecting, recording, gathering, organizing, storing, using, disclosing or otherwise making personal data available by electronic means.
International Privacy Regulations
The GDPR is the most thorough privacy regulation that exists in the world today. Passed into law in the EU in 2018, this strict regulation sets guidelines for the collection and processing of personal information of individuals who live in the EU.
“The GDPR is very clear stating any entity, regardless of their location, that collects or processes personal information of EU residents must comply with the regulations laid out in the GDPR,” West emphasized. “Knowing whose data your organization collects or processes makes it easier to determine whether or not your organization must comply.”
Under the GDPR, organizations have to ensure that not only are they gathering data legally, but also protecting the data from misuse or exploitation. This means companies can be significantly more liable in the event of a data breach.
The GDPR was designed to give EU citizens more control over their personal data and make it easier for consumers to understand how their data is collected and used. Organizations are required to notify consumers if their data was compromised in a breach.
Federal Privacy Regulations
The U.S. has no overarching federal consumer data privacy law in place the same way the EU does. “Instead of one privacy regulation here in the U.S., we have a number of industry-specific regulations that encompass privacy,” West noted. Those regulations include:
- HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects patient health information from disclosure without the consent of the patient. Learn more about HIPAA.
- GLBA: The Gramm-Leach-Bliley Act (GLBA) protects financial and nonpublic personal information and requires financial institutions to explain their data sharing practices to their customers. Learn more about GLBA.
- COPPA: The Children’s Online Privacy Protection Act (COPPA) protects the personal information of children under the age of 12 by prohibiting organizations from collecting personal data from children 12 and under without parental consent. Learn more about COPPA.
Regardless of your industry, it’s always important to check in with your GRC and legal team or your trusted security partner to ensure you’re complying with any industry-specific privacy laws that may apply to your organization.
State Privacy Regulations
While there’s no federal consumer privacy regulation, the California Consumer Privacy Act (CCPA) is the most prominent state privacy law in the U.S. It gives consumers more control of their data, including:
- The right to know the personal information collected about them
- The right to delete personal information
- The right to opt out of the collection and sale of their personal information
- The right to non-discrimination for exercising their CCPA rights
How do you know if the CCPA applies to your organization? You are required to comply if your business serves California residents and meets one or more of the following three requirements:
- Your organization has an annual gross revenue of over $25 million USD
- Your organization buys, receives, sells, or shares personal information of 50,000 or more consumers, households, and/or devices
- Your organization derives 50% or more of your annual revenue from selling consumer data
“California is the most populous state in the country, so many organizations need to comply with the CCPA,” said West. “If a California consumer visits your website and you have cookies collecting any information that could be linked with their personal identity, you will have to inform them and give them the option to opt-out.”
While the CCPA was a groundbreaking privacy law when it passed, a number of other states have followed in California’s footsteps and passed their own comprehensive privacy regulations. Massachusetts, New York, Maryland, Hawaii, Colorado, and Virginia have similar laws in place.
GDPR vs. CCPA: Key Differences
It can be helpful to compare and contrast some key aspects of the GDPR and CCPA in order to understand the rights certain consumers have and the different requirements of compliant organizations.
Both the GDPR and CCPA grant consumers the right to access, delete, and opt-out of personal data collection. The GDPR gives consumers the right to correct incorrect personal information and also requires explicit consent from consumers to have their data collected, two rights not granted by the CCPA.
Making Sense of Privacy Regulations For Your Organization
Businesses should always work closely with a legal and compliance team to understand how privacy regulations affect their business. This might include a privacy attestation or audit.
“It’s best practice for a business to respect consumer privacy,” said West. “Regardless of regulations, it’s good for your business and good for your consumers when you are open and honest about your data collection practices,” she concluded.
With these regulations in mind, how can organizations ensure they are processing personal data correctly? In part two of this blog series focused on privacy, we’ll dive into how different frameworks and assessments can help organizations achieve compliance with various privacy regulations.
Interested in learning more about how privacy regulations may impact your organization? Contact us today for a free consultation.