Every time you make a digital transaction, enable an app’s permission settings, or visit a doctor, you leave a trail of valuable, personal, and sometimes sensitive information. Many companies collect that data only to turn around and sell it data to a third party, who then sells it again. But what governs the sale, use, and security of your personal data? So far, lawmakers in the US have looked to patchwork legislation and market self-regulation to answer these and other questions. It’s not working. Welcome to the shadow economy that powers what Tim Cook, CEO of Apple, calls the “data-industrial complex.”
Who owns a person’s data? Who’s responsible in the event of a data breach? Where can your personal information be stored, and for how long? Should the consumer have a say in all this? Data privacy laws can provide answers, and ideally, give people more sovereignty over their own personal information.
Six years ago, the Obama Administration devised a plan for federal-level data privacy laws in the Consumer Privacy Bill of Rights. That plan failed through a mixture of lost momentum and bad timing (coinciding with Edward Snowden’s revelations about data surveillance practices by US government agencies). Since then, Silicon Valley and the shadow economy of data brokers have largely been allowed to make their own rules when it comes to data privacy in the US.
While many of the world’s other advanced economies have made great strides towards governing the flow of personal data, American legislation is years behind where it should be.
Drafted in 2016 and implemented in 2018, the European Union’s GDPR is the gold standard of comprehensive data privacy legislation. It applies to any business that collects or stores data from EU citizens or residents; operates outside of the EU (but still offers goods and services to EU citizens or residents); or monitors the behavior of people within the EU.
Built on a foundation of transparency, the GDPR requires businesses to tell their customers what their business does, how they can be contacted, why they’re processing personal data, what types of data are being collected, how long data is being stored, and where personal data is being shared. It also provides a consumer sovereignty over their own data, allowing them to amend, access, and revoke that data as they see fit.
When a violation is logged, the GDPR assesses fines that are either equal to 4 percent of a company’s global annual turnover, or €20 million, whichever is greater. These fines are a critical point of incentivization for businesses to play fair with customer data.
In just 18 months, the GDPR has led to a €50 million fine for Google, a pending €204 million fine for British Airways, and over 90,000 self-reported breaches of compliance. Policy wonks originally called effective enforcement the biggest test for the GDPR’s sweeping aspirations. So far, it appears to be passing that test.
The US has largely left the question of data privacy to individual states. In that race, California leads the pack. The CCPA goes into effect on January 1, 2020 and follows the GDPR’s lead by requiring businesses to disclose what types of information they’re collecting (as well as why the data is being collected and where it’s being shared). It applies to businesses dealing with Californian customer data, but only businesses with the following criteria: they buy, share, or sell data from at least 50,000 Californians; they earn more than 50 percent of their revenue from the sale of personal data; or they have an annual revenue over $25 million.
While the scope of businesses covered under the CCPA is smaller than under the GDPR, the potential cost of violation is much higher. The CCPA fines offenders on a per-user, per-violation basis (between $100 and $750 per instance). That means a service with a few hundred thousand users can be vaporized by CCPA fines if they suffer a significant data breach. While such a threat is unlikely to deter a company from operating in a state that ranks as the fifth largest economy in the world, businesses operating in California still must tread carefully.
A subtle but critical difference the CCPA has with the GDPR is the positioning of the legislation’s default settings. With the CCPA, consumers must opt-out of sharing their personal data with third parties; with the GDPR, users must opt-in before any personal data can be collected. This makes the CCPA’s default setting forgiving to businesses, as people generally keep the default settings of what they’re handed. That general orientation is mirrored in policies relating to the sale or transfer of personal data to third parties. The CCPA requires a business to give customers a chance to veto the transaction, but with the GDPR, a business requires explicit consent from the customer before it may sell or transfer personal data to a third party.
The differences between the CCPA and the GDPR are, for the most part, a healthy form of individualization. The major problem in the US is a lack of a single, comprehensive, federally-guided framework for data privacy regulations.
Data privacy laws in the US are, for the time being, splintered between different states and industries. But state-level and sector-specific regulations should be seen as prototypes for a single, comprehensive, federally-guided legislation regarding data privacy—not as replacements for it. Creating different regulations for health services data (HIPAA) and general consumer data by state (CPPA) makes things more difficult for businesses, rather than easier, as the number of competing rules increases.
A single, comprehensive, federally-guided legislation should cover all institutions that deal in data and include laws that default towards proactive consumer protection rather than mere disclosure. And, in the interests of global business, this comprehensive legislation should be as compatible with the EU’s GDPR as possible; such integration will only help the ease of doing business in America. Even major economies on the other side of the political spectrum, like China, have realized that the integration of such legislation with GDPR standards is critical. The US may be too far behind in data privacy to be taken seriously as a global leader in the subject. But it’s not too late to catch up.