The Changing Landscape of Data Collection and Protection
By Ben Hunter, III, CPA, CITP, CISA, CRISC, CFE
In April 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR), which went into effect in May 2018. The GDPR is a great step forward for consumers and data privacy. For most of us, the GDPR was an interesting conversation starter at cocktail parties and networking events. It only impacts businesses that operate inside the EU or the European Economic Area (EEA), or businesses that process the personal information of individuals belonging to the EU and the EEA.
In June 2018, the California Legislature led the way in the United States by passing the California Consumer Privacy Act (CCPA). This law will have a great impact on data privacy throughout the United States. Many other states are now contemplating their own consumer privacy laws. Included in the law are various consumer safeguards:
- Notice: Guarantees consumers the right to know what data is being collected
- Consent: Guarantees consumers the right to opt out of data being sold
- Deletion: Guarantees consumers the right to delete all their private data, with exceptions
- Access: Guarantees consumers the rights to access, download or transfer their data
- Kids’ Rights: Kids under 16 must opt in to consent to the sale of their data
- Enforcement: The attorney general can levy fines, and consumers can sue for breaches
(See www.commonsensemedia.org – a sponsor of the bill and a great source of reviews, objective advice, helpful tools and more for media, tech and the digital world.)
The law only protects individuals residing in the state of California. The CCPA applies to all for-profit entities that collect personal information and do business in California and either have annual gross revenue over $25 million, buy, sell, receive, or share for commercial purposes the personal information of 50,000 consumers, devices, or households on an annual basis or derive 50% or more of their annual revenue from selling personal information. To be clear, the law makes no distinction on where that annual revenue is earned. So even if you do $1 million in revenue in California, and $24 million in revenue in North Carolina, the law still applies to your business.
The CCPA is expansive in its definition of “personal information.” “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Basically, if you think it could be personal information, it is under the law.
A big difference between the CCPA and the GDPR is the opt in/opt out portion of the law. The GDPR required individuals to opt in. That is why we are constantly bombarded with notices about cookies on almost every website we visit. And the only options we have are to allow the website to collect our information or leave the site. We are opting into the data collection when we click “accept,” or “OK” on the cookie notice. In contrast, the CCPA requires an opt out. The CCPA requires notice of the data being collected about the individual, what data is being collected, and the purpose for the data being collected. Also, there is a lot of information a business will need to include in its privacy policy regarding the data collected. However, there is no opt in. It is assumed the individual is already opting in by using the product or service. Where the consumer rights come in is right to opt out. After the data is collected, the consumer has the right to receive a report of all data the business has on that individual. The consumer also has the right to deny the business the ability to sell his/her data, and the consumer has the right to request that the business deletes all of the data the business has on that consumer (with few exceptions).
And just in case you thought you are not affected by these data privacy laws because you live in North Carolina, amendments to the NC Identity Theft Protection Act have been introduced as House Bill 904. This proposed change applies to businesses that conduct business in NC and own or license personal information of NC residents. Some of the main points of the amendments are:
- Requires businesses to implement and maintain reasonable security procedures and practices
- Imposes a maximum of 30 days after discovery of a breach or reason to believe that a breach has occurred to notify impacted individuals and the NC Attorney General
- Expands the definition of personal information to include any information regarding an individual’s medical history, condition, treatment, diagnosis, genetic information, and health insurance information like a policy number
- Clarifies when other information that normally is not “personal information” would be considered “personal information” for notice and security procedure requirements
- Changes the law from unauthorized access and acquisition of data containing personal information to unauthorized access to or acquisition of….
- Requires businesses to verify a lack of harm for 3 years
- For any breach involving SSN, the business must provide identity theft monitoring and mitigation services for 24 to 48 months
- Increases the amount of information a business is required to provide to the Attorney General
- Clarifies that compliance with HIPAA is considered compliance with the law
- Gives the consumer more control over credit checks and information at a Credit Reporting Agency (CRA)
Since there is currently no federal framework, businesses will need to work with the attorneys, CPAs, and cybersecurity/data privacy specialists to stay abreast of the changing laws in the states where they do business. There are always costs to regulations, and these consumer privacy laws are no different. Much of the burden will be borne by the businesses. However, just as food label regulations cost businesses but puts consumers in control of what is in the food they choose to eat, the data privacy laws such as the CCPA will put the consumers in control of their own data. It is this author’s opinion that the CCPA is a positive move forward for data privacy.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]