By Robin Singh, CFE, CCEP, HCCP
Compliance and Fraud Control Lead, Abu Dhabi Government
Website, email and social media are the three top marketing tools used by businesses. More than 50 percent of small businesses invest in a website to expand their reach while 17 percent of global retail sales was accounted by e-commerce. With more than 1.6 billion people across the globe buying goods online, businesses have to focus on data protection. A recent Global Privacy Enforcement Network (GPEN) survey looked at 1,200 mobile apps and found 85% of them failed to explain to their users how personal data was being collected, stored or handled.
Data breaches have hit the headlines over the past decade, necessitating stringent laws and amendments to existing data protection laws worldwide. The 2014 attack on Yahoo that compromised personal details of more than a billion users and the more recent eBay incident that impacted more than 400 million accounts are a case in point. JP Morgan Chase, Equifax, Uber and many more businesses that have an online presence have also been subject to data theft, compromising billions of user data.
The General Data Protection Regulation (GDPR) and California Consumer Privacy Act of 2018 are two of the most recent laws that came into force this year aimed at giving users control over how companies use their personal information. Online businesses need to be well-versed in these international privacy laws no matter where they are located as long as they impact EU and California residents. Other state laws have also been implemented that are aimed at protecting their residents’ personal data.
International privacy laws
GDPR: The General Data Protection Regulation (GDPR), a comprehensive European data privacy law, came into force on May 25, 2018. The aim of GDPR is to give individuals across 28 member countries of the European Union full control of how their personal data is collected, stored and handled. Since GDPR protects EU citizens no matter where they are, businesses across the world with an online presense dealing with EU customers online will be impacted by this law. Non-compliance or data breach can attract penalties up to 4 % of a company’s yearly turnover or €20 million.
Under GDPR, EU customers have digital data rights related to
- access to personal information
- Right to be forgotten
While web giants including Facebook and Google made changes to their privacy policies to ensure compliance, some businesses are unsure of how to obtain consumer consent. An advertising technology company, Drawbridge, closed down because of lack of clarity on obtaining consumer consent for digital advertising. Acxiom, a professional data mining company that accesses voter records, vehicle registration number, purchasing behavior, is revamping its portal that lets consumers know what data is stored.
California Consumer Privacy Act of 2018: Also called AB 375, the California Consumer Privacy Act is a far-reaching privacy legislation in the U.S that will come into force on January 1, 2020.
The Act applies to all for-profit businesses involved in collecting personal information on California residents. It applies to businesses in California with revenues above $25 million or who collect information of more than 50,000 residents annually, or earn 50 percent revenue from sale of personal information of residents in California.
Online businesses located elsewhere but accessible to California residents also need to comply with the Act. Intentional violations of the Act can attract penalties of $7,500 for each incident.
AB 375 gives these rights to the consumers:
- Be informed of all data that a business collects
- Refuse to consent or the right of “opting out” with respect to sale of any personal information
- Ask for erasure or deletion of data
- Be informed on data categories that a business will collect before it is collected
- Be informed of where data is acquired from or shared
- Know the reason a business is collecting information
- Right to take legal action in the event a company does not take the necessary steps to protect data or when there is data breach
Personal information refers to any information that can be used to identify an individual. It refers to an exhaustive list that includes “commercial information” such as purchase history, personal property records, tendency to purchase or purchases considered and information related to search history or browsing.
Under this act, online businesses will have to ensure they do not discriminate against those consumers who exercise their right to privacy or erasure. This means that they cannot deny services or goods, or charge more for services or goods, or provide goods or services of different quality to these customers. One confusing loophole however relates to the fact that the act does provide businesses a way to charge differently if this “difference is reasonably related to the value provided to the consumer by the consumer’s data.”
Online businesses will also have to mandatorily provide users at least two channels to submit their data disclosure requests which could be a form on website and a toll-free number at a minimum. Within 45 days of receiving this request, businesses will have to provide the required information.
Businesses will also have to be ready to provide information on sources of data collection, specific information collected and the third parties with which the information is being shared if consumers request.
New and revised state data breach laws: Almost every U.S. state has made amendments to existing data breach legislation to curb unauthorized data poaching. These amendments expand the scope of what constitute personally identifiable data. Here is a lowdown on some of these amendments, state-wise:
Arizona: On July 21, 2018 Arizona brought in an amendment that requires businesses to intimate consumers in the time-frame of 45 days of discovering data breach. If more than 1,000 users are affected by the breach, the companies should notify credit reporting agencies and the state attorney general.
Colorado: In September of 2018, Colorado amended the HB18-1128 legislation on data protection, making it mandatory for businesses to notify its consumers within 30 days of coming to know of a breach. The businesses also have to notify state attorney general if 500 or more residents are involved.
The amendments also include details on mandatory written policy that businesses should have for personal information disposal while expanding scope of data types that are protected. Amendments include military, student, and passport numbers, apart from identification numbers from medical and health insurance.
Iowa: Effective from July 1, 2018, the H.F. 2354 that relates to data protection in Iowa makes it illegal for website operators to rent or sell students’ information while requiring them to put in place stringent security procedures aligned with Federal and state data protection laws.
Vermont: Effective from January 1, 2019, amendment to H.B. 764 creates “heightened requirements” for brokers of data and makes it compulsory for brokers to inform Vermont’s Secretary of State of any breach.
Louisiana: Amendment to S.B. 361 in force from August 1, 2018, enhances scope of identifiable information and makes it mandatory for companies to notify users within 60 days of data breach determination. Last name, initials and first name along with passport number, biometric data and state identification numbers are included in this amendment under personally identifiable data.
Oregon: S.B. 1151 came into effect on June 2, 2018, that makes it compulsory for companies to notify before 45 days of data breach discovery. If breach affects 250 or more consumers, companies should inform state attorney general. Employee training has also been made compulsory under this law.
South Dakota: South Dakota’s brought in S.B. 62 that came into force on July 1, 2018 requiring notification within 60 days of data breach discovery.
What steps can online businesses take to ensure compliance?
Many businesses are taking necessary action to revise their data handling and collection practices to comply with GDPR, although a recent TrustArc survey found only 20% of businesses in U.K and U.S. were compliant. Here are some ways online businesses can ensure compliance with state, Federal or GDPR regulations:
Get unambiguous consent: One of the most important aspects that online businesses should focus on is on obtaining unambiguous consent. Silence, inaction or pre-ticked boxes on the website are not regarded as consent of the user under GDPR. The user has to take “clear affirmative action” such as ticking or checking the box to indicate he or she has understood the explanation on data collection the business gives.
If your online business has already collected many types of data before GDPR came into effect, such data will become obsolete unless fresh consent is obtained from users. A W8 Data survey found 75 percent of data collected by U.S. businesses online would become obsolete.
Right to be forgotten: As another powerful right conferred by GDPR on consumers, the right to be forgotten enables users to ask for data erasure. Online businesses have to ensure they put in protocols and systems in place to be able to erase personal data or digital footprints upon user request.
Avoid bombarding with emails: Businesses cannot send “cold” marketing emails to any EU citizen without obtaining documented proof of his or her consent to receive them, as per the GDPR. Many online businesses get around the problem by targeting potential customers on platforms like LinkedIn. By virtue of being a LinkedIn member a user automatically consents to connect with other users.
Data protection officer: Online businesses should also appoint a data protection officer to monitor and ensure data protection as laid down in Articles 37 to 39 of GDPR.
Train employees: Many Federal and State laws related to data protection make it mandatory to train employees on data protection. Ensure ongoing training sessions for all levels of employees on prevalent data protection laws and recent amendments.
As businesses expand their footprints and enter new market areas through e-commerce they will have to quickly adapt to emerging cybersecurity and data protection challenges. A comprehensive written policy on data protection, cyber security, employee training and data auditing will go a long way in helping online businesses to maintain compliance to various data laws.