Corporate legal teams and the companies they serve are being forced to face the tough new realities of data privacy regulation. By confronting the hard truths of data privacy today, though, they can avoid even harder lessons later.
The challenges are laid out by the experts at Keesal, Young & Logan in a new ebook, co-authored with Mitratech. They also explain the steps legal departments can take to become compliant with the rising tide of regulation.
Beyond what’s in the book though, what are a few of the current realities legal teams and companies are having to confront as data privacy trends unfold?
#1: There’s no federal salvation in sight
There’s an onrush of state data privacy protections underway, and so far there’s been little movement in Washington D.C. to provide a national policy or piece of legislation that will supersede the regulatory patchwork that’s developing. Say what one will about the GDPR: it was, at least, a way of providing a unified set of rules for an entire region.
The California Consumer Privacy Act has, in this vacuum, has become the showcase example of US data privacy legislation. Other states have used it as a template, though there have been unremitting efforts to amend the CCPA on the part of lobbyists and corporations.
The result, at least for the time being? A welter of state-by-state laws for corporate legal and compliance teams to wade through.
For instance, a company may not be subject to the CCPA, which applies to firms with $25 million or more in revenue, but Rhode Island only requires $5 million to be subject to its proposed privacy law, and Pennsylvania specifies $10 million.
Stll, there may be a silver lining in view, as pointed out in the ebook:
Think of the CCPA as an opportunity to create a comprehensive approach to state privacy laws, or as an opportunity to create a system to handle each state in its own way. Either way, we are at an inflection point for legal teams across the USA.
#2: There’s a lot of risk for the unprepared
When given the change to lodge complaints, consumers often jump at the chance. Data privacy regulations are giving them an avenue to do exactly that; the most obvious example of how this may generate a “climate of complaint” for businesses is what’s happened with the GDPR. As of late May 2019, privacy organizations, consumers, and others had filed 144,376 GDPR complaints over the year since the law came into effect.
If a company hasn’t conducted compliance audits and done the work necessary to make their systems and databases align with data privacy regulation, the risks are obvious. But even companies we might expect to be on the ball about data privacy can find trouble. In January, Google earned the first landmark GDPR penalty, as French regulators handed out a €50 million fine to the company. The alleged violation? Google hadn’t properly disclosed to users how their personal data was being collected and employed for targeted advertising.
What’s one key to winning an appeal of a fine like this? Showing there were compliant processes in places, along with the detailed records necessary to back up a company’s assertions they did nothing wrong. An effective process automation solution, for instance, can embed best practices in an organization’s workflows, and automatically archive those workflows for regulatory or judicial scrutiny.
#3: Compliance impacts competitiveness
Today, consumers value transparency; a brand or company that appears to put their privacy on a pedestal will earn their loyalty. Tim Cook and Jeff Bezos aren’t reminding us, with great frequency, about how invested they are in upholding user’s data privacy rights just out of the goodness of their hearts. It’s good business.
A survey from Episerver illustrates how consumers want it both ways, demanding personalization and privacy:
Although 88% of online shoppers say it is the same or higher priority for brands and retailers to offer personalised experiences online in 2019 compared with 2018, 93% say it is the same or higher priority for companies to respect their anonymity online.
By being compliant with data privacy regs, and promoting that fact, companies can seize competitive advantages in the marketplace. That’s another risk on legal and compliance professionals must help avoid, beyond the costs of regulatory penalties. Reputational damage can sink market share, so installing processes and tools to enable compliance (and improve defensibility in the case of challenges) is paramount.
Know the steps a legal department should take
For companies contending with the CCPA, January 1, 2020 is getting too close for comfort if they haven’t adequately prepared. Following the sage advice of the experts that’s included in our new ebook, Data Privacy: Why Is It So Big Now? And Why Should Legal Teams Pay Attention?, will give them a solid set of steps to follow in prepping not just for the CCPA, but for disparate data privacy regulations that are taking root all over the US and global map.