Highly publicized data breaches and revelations about the various ways consumer data is collected, stored, and used have recently spotlighted companies’ data privacy policies and the regulations that govern them. Recent developments showcasing the extent to which this data is also sold or otherwise disclosed to third parties, with users left unaware, have further highlighted the need for more transparency in this area. Two major data privacy laws passed in the European Union (EU) and the state of California have the ability to shape how many companies need to approach the issue, with other laws in the works both globally and domestically. Internationally, Brazil has recently approved the General Data Privacy Law, and Argentina and India have proposed their own laws or drafted frameworks. Domestically, Colorado enacted a law to amend the state’s data breach notification requirements, including reporting timelines, and New Jersey and Washington have recently taken steps toward advancing their own data privacy legislation. With the draft Consumer Data Protection Act of 2018, federal efforts are also gaining traction. These actions further underscore the need for companies to examine their data privacy frameworks.
The General Data Protection Regulation (GDPR) became effective on May 25, 2018, and is applicable to organizations within the EU that use personal data, as well as international organizations that provide goods and services to individuals in the EU or monitor their behavior. While most organizations have completed initial assessments and some form of remediation, very few have developed the necessary downstream procedures to operationalize the program and demonstrate compliance with the GDPR requirements.
Shortly after the effective date of the GDPR, the state of California passed the California Consumer Privacy Act of 2018 (CCPA) on June 28, 2018. While the CCPA only provides data privacy rights to California state residents, considering there are currently minimal federal laws or regulations in the United States governing data privacy and use, particularly outside of financial and health matters, California’s law has the potential to set the standard for the entire country due to the size of the state and the breadth of what the statute aims to cover.
Navigant provides an overview of some key features of the GDPR and the CCPA as well as key comparisons between the two and key considerations.