By: John McClung
Data privacy is one of the most important business and cultural issues of the 21st century. Universal access to all kinds of personal information is now at unprecedented levels due to the instant communication provided by smartphones and the internet. As a result, identity theft, fraudulent credit card charges, and solicitation from businesses based on consumer spending habits have risen dramatically. Technology and cybersecurity entrepreneurs have scrambled to find ways to make online accounts and transactions more secure, and lawmakers are now following suit. So what does this mean for your business?
In May 2018, the EU’s General Data Protection Regulation (GDPR) went into effect. Created to protect an individual’s online information and simplify the rules for international business, the GDPR imposes tough rules for securing personal data of private individuals, enforces strict penalties for non-compliance, and redefined the way many U.S. companies operating overseas conducted business. This past January, California’s own data privacy law, the California Consumer Privacy Act (CCPA), took effect, borrowing some elements from the GDPR and bringing the U.S. closer to its EU counterparts. It is also the nation’s first statewide data privacy law.
Even if your New York business doesn’t interact with California residents, the CCPA will still affect you. Due to California’s population size as well as their economic and political importance, the CCPA will effectively become the nationwide standard for all U.S. businesses, at least until a federal law for data privacy is passed. Washington lawmakers are looking at California’s new legislation as they consider such a proposal, as setting a single legal standard for data privacy would be more efficient and cheaper for businesses and cybersecurity firms to implement in the long run.
And for those New York businesses that do business with California residents, the impact is more immediate. Those businesses must now, among other requirements, disclose what personal data has been collected and delete the data or stop selling it to outside sources if the customer requests. The CCPA, and the GDPR before it, have also legally broadened the definition of “personal information” to include any information which can “directly or indirectly” identify a person. This includes such things as biometric data, browsing history, employment and education data, consumer preferences, psychological trends, preferences, aptitudes, and other data which can be used to create a profile of the individual.
The CCPA applies to all companies that supply or serve California residents and: (1) have at least $25 million in annual revenue, or (2) have personal data on at least 50,000 people, or (3) collect more than half their revenue through the sale of personal data. Companies don’t have to be based in California or the U.S., or even have a physical presence in California, to be subject to CCPA regulations under the law.
Many New York businesses that operate in California also operate in Europe and have already had to make changes to comply with the GDPR. However, many New York firms, especially smaller firms that don’t operate overseas, have not. To comply with both the GDPR and CCPA, New York businesses should make sure their entire executive team is on board with new data privacy regulations. Businesses should designate one person within the company to ensure that all obligations under the law are being met. Operational implementation is key, and third-party vendors should be thoroughly researched before they are hired. Additionally, annual data protection training should be mandatory for all employees and be built into new-hire training.
An additional suggestion is to use encrypted emails and email accounts. Emails with end-to-end encryption meet the GDPR data protection-by-design standards and implementing zero-access encryption through your email provider means that the provider doesn’t have access to your email content while also limiting vulnerability and liability from any potential data breaches.
When examining your firm’s data collection policy, it is important to keep in mind your client obligations under the GDPR and CCPA, while at the same time understanding that not all businesses operate the same way and may not require the same level of restructuring. Here at Sasserath & Zoraian, LLP for instance, we have always taken client privacy and security very seriously, and unless required by a court-ordered subpoena, all client information remains confidential.
Please contact our team with any questions you may have.