Changes in data privacy laws could be coming

Tougher data privacy laws have already taken affect in the European Union  and are due next year in California.

And while no local or federal legislation has been enacted yet, that could change as various states propose their own laws. New York is working on a data privacy proposal.

Given that, businesses are encouraged to start analyzing the data they collect, how it’s protected and where it’s stored, experts say.

“The risk is either we have 50 different [data privacy and protection] laws or one federal law, and no one knows which it’s going to be yet,” says Mark G. McCreary, chief privacy officer and a partner at Fox Rothschild LLP in Philadelphia. 

The EU's General Data Protection Regulation (GDPR) that took effect in May 2018 affects firms that collect or process personal data of individuals in the EU even if the business isn’t based in the EU, says McCreary. As part of that, businesses are required to adhere to certain guidelines, such as informing individuals what data’s being collected and how it would be used, and to have a way for  that data to be erased or “forgotten” upon request, he says.

The California Consumer Privacy Act of 2018 (CCPA), “mirrors GDPR to a certain degree,” says Stephen Breidenbach, co-chair of the cybersecurity, privacy and technology practice at Moritt Hock & Hamroff LLP in Garden City. It also includes provisions that entitle an individual to know what data’s being collected, how that data is used and what third parties that data is shared with, he says.

That law will go into effect next year no later than July, perhaps sooner, says McCreary.

For that law to apply to a business,  it must generate annual gross revenue  over $25 million;  receive or share personal information of more than 50,000 California residents annually; or derive at least 50 percent of its annual revenue by selling the personal information of California residents, he says.

But even if your business doesn’t fit one of those criteria, there’s a significant chance your business could be impacted in the future, says Breidenbach. For proposed legislation in New York, see http://tinyurl.com/yble76y5 and for a federal proposal, see http://tinyurl.com/y6zpcb45, he says. “Copycat laws are now being proposed,” says Breidenbach. “We don’t know how far these bills will develop, but we know many states are working on enacting new privacy laws.”

Businesses can look at GDPR and CCPA as references to what requirements may be coming, says Peter Milla, an industry  consultant who is data protection officer at Cint, a Stockholm-based market research and tech provider.

Businesses should “map” the data they collect on consumers and assess their digital ecosystems, says Milla. This includes knowing what personal data they collect and where it’s stored (ie., the cloud or on servers internally or in hosting arrangements), he says.

There are costs associated with this, and they can vary based on the kinds and amount of data being collected, says Milla. 

At the very least, companies should take a hard look at their own cybersecurity practices, says Nicole Della Ragione, a member of the cybersecurity and data privacy practice at Ruskin Moscou Faltischek PC in Uniondale.

Within GDPR and California’s law, companies are required to take reasonable data protection measures to safeguard residents’ personal information, she said. As a best practice, companies should have proper cyber policies and procedures set up, which includes making sure access rights and controls are in place so not every individual in an organization has access to sensitive data, but rather having access rights and controls be based upon an employee’s role, she said.

Taking these kinds of steps makes sense, considering “there’s a lot of risk that comes with having poor cyber practices,” says Della Ragione.