When it comes to data privacy, it’s not all about General Data Protection Regulation (GDPR), and it’s not all about Europe.
Here in the U.S., and in the wake of GDPR, which of course took effect in May, there exists the California Consumer Privacy Act of 2018, known colloquially as CCPA. The legislation is slated to go into effect on January 1 of 2020, and among other mandates requires (with some similarities to GDPR) that companies gather consent from their consumer base when it comes to collecting and using data — and there are also provisions that mandate consumers be compensated when their data is in fact used. There are monetary penalties involved in the event that data is used in non-compliance with laws.
As the state-level initiative looms, and as headlines mount over data breaches at Facebook and Google and any number of other firms, data privacy has garnered its share of attention from legislators. The attention has come most visibly through a series of hearings through the past few weeks. Earlier this month advocates and industry observers testified before the Senate Committee on Commerce, Science and Transportation on consumer protections.
The hearing was titled “Consumer Data Privacy: Examining Lessons from the European Union’s General Data Protection Regulation and the California Consumer Privacy Act,” and came on the heels of a September hearing that looked at the ways some of the marquee names mentioned above could have and should have addressed security concerns.
The aim may be to foster data privacy and protection while making sure that innovation can take place — but how to get there is open for debate, and some stakeholders want a national data-privacy law in place.
In tandem with the October testimony of a series of privacy advocates and experts, a dozen organizations offered up a data-protection framework to the Senate committee, and the framework urges baseline federal data protection legislation that can be based on existing guidelines such as the OECD Privacy Guidelines and algorithmic transparency, among other mandates.
In an interview with PYMNTS conducted by written communication, Bart Lazar, partner at Seyfarth Shaw (focused on intellectual property and data privacy and security) said this week that the California Data Privacy Act can serve as a template for federal baseline legislation because “California makes up such a significant portion of the U.S. economy that it is difficult for a company to treat California consumers differently than they treat non-California consumers. The law is de facto legislating the country anyway.” He stated, too, that “the statute embraces many key concepts of transparency which should be part of any federal baseline of data protection.”
Asked what the takeaways might be from GDPR in its first few months, Lazar said privacy laws are difficult and expensive to comply with and the very broad definitions and scope of the GDPR can be cumbersome. “While we may be in an economic mode of protectionism, global companies have the need for global data protection policies to make data flows simpler, safer and more efficient,” he told PYMNTS.
With a nod to the push toward a national data-privacy framework here in the states, he said that “all” data cannot be protected by federal legislation. But “personal data and sensitive data can be defined and levels of protections determined through a regulatory process” that evolves along with input from stakeholders ranging from industry to advocates with an eye on setting a uniform standard of what constitutes security and even what constitutes protectable/personal data.
As with many treaty processes involving universal principles, he told PYMNTS, “we should think of data rights similar to intellectual property — copyright, patent, trademark — all of these are the subject of international treaties providing baseline protections.”
And with a view of the recent Congressional hearings, he said the real debate is “not really consumer rights vs. big bad business. Consumers and industry win if the rules are clear and inexpensive for legitimate businesses to comply with them.”