As the dust settles from the EU’s recently enacted General Data Protection Regulation (GDPR), companies all over the Western world will continue to watch with bated breath as Europe ramps up enforcement of its newest (and heftiest) piece of privacy legislation. And the stakes of GDPR in the U.S. are increasing, too — with enormous fines no longer just a distant threat but something more quantifiable.
With the scrutiny several American tech behemoths have been facing recently, a growing number of people in the United States. and overseas are becoming aware of how their data is being used across the internet. This awareness has legal ramifications, and business ones as well.
Here are two substantial effects the GDPR likely will have on U.S. companies in 2019 and onward, plus suggestions on how to deal with them.
Effect No. 1: The American privacy landscape will shift
On June 28, California passed a severe piece of legislation, largely in reaction to the GDPR, called the California Consumer Privacy Act (CCPA). While not as tough as the GDPR, the CCPA still has huge implications for the future of American websites and eCommerce businesses that collect and use customer data.
For instance, Californians will soon be entitled to know what data has been gathered about them from anywhere they’ve visited on the web. If a consumer from California formally asks a business to reveal what information it has accumulated about them, the business has 45 days to comply or face a potential lawsuit.
One way websites have been preparing to handle this (since the CCPA isn’t enforceable until Jan. 1, 2020) is by building a “personal information request form” page. For small businesses this shouldn’t be too much of a burden, but bigger companies will need to invest the necessary resources to process these data requests.
Additionally, the CCPA allows Californians to request that their information not be sold, and companies must inform them if they intend to sell any data collected about them. Violations can get pricey, so it’s important for business owners to have the infrastructure in place once the bill goes live in 2020.
Companies have also been tightening up their legal policies and making them more transparent in preparation of the CCPA.
Cookies, which have long been used by websites to inconspicuously track user behavior and information, now must be disclosed to consumers — often in the form of a banner. You’ve probably seen a few of these banners around, and they aren’t going away anytime soon.
California, as the homebase of Silicon Valley and many of the world’s major tech companies, is now poised to be the American pioneer of significant online consumer privacy rights. A federal law as weighty as the CCPA hasn’t emerged yet, but there are rumblings about one. Until then, keep your eyes open for new state legislation.
Effect No. 2: ‘Privacy by Design’ will become the norm
Privacy by Design (or PbD) is a concept that people running online businesses should be familiar with (if they aren’t already). Recognized and recommended by the FTC as “best practice” for companies in the U.S., PbD is primarily about building privacy into all levels of your operations.
From your products to your website to the way you collect and store data, everything must be thought out and executed before you begin taking care of other business needs.
Prioritizing your user’s personal information and making sure you safeguard it at all costs are core tenets of Privacy by Design.
There are “seven commandments” of Privacy by Design:
- Proactively protect user privacy. Rather than react after a user’s data has been compromised, have a system in place that’s ready to prevent such a breach in the first place.
- Make privacy protection the default setting of your site. When someone lands on your home page for the first time, their settings should be set to max. Consent is required before collecting data or using cookies.
- Embed privacy protection into the design (of everything). Build your website and products with privacy in mind.
- Maximum privacy settings = still fully functional for users. Never make users choose between their privacy and their security, or other such unreasonable either/or scenarios.
- Protect data from collection all the way to deletion. From the moment you collect someone’s data to its erasure, be certain it’s safe from exploitation.
- Maintain transparency. If it’s not simple for your users to know the data you’re collecting or the content of your policies, you’re not being transparent enough.
- Keep privacy “user-centric.” Essentially, privacy should be user-friendly. It shouldn’t be a chore for people to exercise their right to privacy.
Implementing privacy by design requires a collaboration of developers, engineers and management to truly execute. Due to the cost and resources associated with its implementation, PbD is still not getting the attention it deserves in the U.S.
This is bound to change as a result of the GDPR in the U.S. and new American privacy legislation that will gradually be rolled out in the near future.
Final thoughts on GDPR in the U.S.
GDPR enforcement has already been wielded to varying effects in Europe following its enactment, but it’s just in its infancy. As severe cases of non-compliance and penalties are publicized in the future, it will grow increasingly clear that user-oriented privacy practices are here to stay.
It’s time for American companies to invest the necessary resources and energy to prioritize consumer privacy — before sweeping regulation like the GDPR is needed to enforce it.
The above content should not be construed as legal or tax advice. Always consult an attorney or tax professional regarding your specific legal or tax situation.