Navigating the Regulatory Landscape
by Gihan Shahidy
If you thought the regulatory agenda was going to wind down after the CFPB rolled out their agenda, filed actions and guided the industry to a fair and free market over the last 5 years, you’re wrong.
The regulatory landscape continues to evolve in its quest to support every aspect of a consumer's daily life, especially when it comes to their personal information. As a consumer, it’s good to know that the government has our back. However, as a professional, it's becoming more challenging to meet all of the requirements of the Federal and State laws, not to mention those of the various agencies with supervisory rights.
As a matter of fact, given the new EU’s General Data Protection Regulation (GDPR), companies must now consider those who live abroad. How do we compliance officers navigate this landscape with efficiency?
The GDPR brought many sweeping changes to the regulatory environment for companies operating in the EU, regardless of where they are based. US companies who have customers residing in the EU must comply with the GDPR rules when processing their customers data.
The GDPR imposes stronger regulations on data protection which gives more control over personal data and levels the playing field among businesses.The law requires affirmative consent from an individual before their data can be used when previously, silence, or no response, meant consent to use their data. The law also creates more transparency into how consumer data will be used, when it will be transferred outside the EU and whether an algorithm was used to make an automated decision based on a consumer’s data.
The GDPR provides consumers stronger rights around notification of data breaches and accessing, moving, or erasing their data (yes, consumers in the EU have “the right to be forgotten”). This becomes extremely burdensome for companies, as it requires them to manage records on an individual basis and according to their consumer’s personal preferences. This in turn, requires significant changes to documentation and data handling practices.
The GDPR is not the only one of its kind.
The California Consumer Privacy Act (CCPA) imposes new obligations of disclosure, data deletion and data access on a wide variety of companies. It gives California consumers control over their personal data through three main concepts:
Transparency which gives consumers the right to know what information is being collected about them
Control which allows consumers the right to cease the selling of their information
Accountability which provides the right to keep consumer data safe
Similar to the GDPR, companies around the world will have to comply with the CCPA when processing California consumer data. However, unlike the GDPR, the CCPA has thresholds that define who must comply. Nevertheless, it’s important to note that the CCPA adds to the many existing data privacy laws that California has enacted over the years. Some of these data privacy laws have been found to be inconsistent and overlap with one another which only contributes to the fragmented privacy law landscape in California. This alone makes compliance to the law more complex for companies that have consumers who reside in the state. Companies not only need to consider Federal, State and global privacy laws according to where their consumers reside, but they must also consider the multiple components within each law.
What to do?
Expect the worst.
Certainly, California is not alone and neither is the EU. More US states are expected to follow in California’s footsteps and consider similar privacy laws in their quest for privacy and protection of their residents. Global regions will likewise, introduce their own requirements. For example, Brazil has rolled out the Brazilian General Data Protection Law which will become effective February 15, 2020).
Global companies, wherever they reside, need to address the requirements of the CCPA, GDPR and other privacy regimes, concurrently and universally, in order to gain efficiencies. They need to develop a structured approach to compliance and readiness assessments to help identify gaps and establish a roadmap. Where requirements differ, and they do, they should apply the most stringent rules. They must also be sure to leverage the most scalable solutions and assign accountability to the appropriate individuals.
Perhaps the time will come for a converging Federal privacy law that bridges the gaps in this landscape or perhaps a consortium of global actors will create unified requirements. In the meantime, the best bet is to err on the side of caution and use a conservative approach to efficiently navigate this disjointed landscape.