Among the flood of recent data breaches and cyber-attacks, privacy is the word on everyone’s mind.
The over-collection and sale of customer data runs rampant right now, as does the failure of companies in myriad industries to adequately protect sensitive data from theft, but new laws are putting an end to the uncontrolled market.
California’s New Privacy Act – Will Other States Follow Suit?
Historically, consumers had little say over the data that was collected about them, sold, or lost in attacks and breaches. However, California is looking to change that with the “California Consumer Privacy Act.” This new law gives consumers the right to request that their personal data be deleted or demand it never be sold.
Rumors abound that Florida is working on a similar law to help protect data privacy and give back control to consumers.
Logistically, compliance may be difficult for some, if not all, affected. Fines for non-compliance range from $2,500-$7,500 per incident and many companies are not ready or even aware of the change.
The law potentially applies to any for-profit company that does business in the state of California (even if not physically located in California). However, the company must also meet one of the following three criteria to fall within the scope of this new statute:
- Gross review of $25 million or more;
- Collect, store, sell, or share personal data for 50,000 or more California consumers; and/or,
- At least half of their revenue comes from selling personal information.
The United States Department of Justice expects about 15,000-400,000 businesses to be affected throughout the country.
Microsoft Under Fire Updates Cloud Contracts
Late in 2019, the European Data Protection Supervisor (EDPS) deemed Microsoft in breach of European data privacy laws. The report cited Office 365 as the culprit due to storing “functional and diagnostics data” by collecting email subject lines and other text during a spell check. The Dutch Ministry of Justice and Security published a series of articles exposing the data breach and its opinion that Microsoft was violating Europe’s General Data Protection Regulation (GDPR).
According to a piece published in Forbes, “Microsoft has now acknowledged its position as a data controller.” This declaration raises the accountability bar for Microsoft. Julie Brill, Microsoft’s Chief Privacy Officer, explained that “In the Online Services Terms OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune.”
The new terms of service will apply to all commercial customers and then roll out to consumers and enterprise customers early this year. The changes do not, however, address all of the concerns raised by the Dutch Ministry of Justice and Security, but it’s a start.
Privacy International (PI) Exposes Data Privacy Violators
The London-based non-profit company, Privacy International (PI), has named Oracle, Acxiom, Criteo, Quantcast, Tapad, along with Equifax and Experian in complaints it filed regarding “systematic infringements” of the General Data Protection Regulation (GDPR) data privacy laws. If found guilty, these companies could be subject to steep fines.
Bast Amron’s Peter Klock comments on the recent changes, “This is only the beginning. What privacy or data security related developments should businesses expect to see in the new year? With the California Consumer Privacy Act finally having taken effect on January 1, 2020, we expect plaintiffs’ consumer class action attorneys to capitalize on companies that have dragged their feet to adapt to the new normal; the enactment of a host of new data privacy laws at the state level, following in the footsteps of CCPA and the EU’s General Data Privacy Regulation that came before it; and the wider adoption of data and privacy best management practices by businesses nationwide. While many have failed to see the writing on the wall, experts agree that California’s much discussed legislation was just the leading edge of a new wave of data privacy legislation in the United States. Nevada quickly followed suit with the passage of its own new data privacy law (even beating California to the punch by pushing their new law into effect in October, 2019) and at least ten other states have comprehensive data privacy laws in the works.
Is your business keeping up with the developments and requirements of privacy law?”