California signed into law the California Consumer Privacy Act (CCPA) only a month after the GDPR was introduced, facing much criticism from its own state’s tech industry — now, will the New York Privacy Act get a second run?
The success of these two landmark pieces of legislation have led to several other attempts to replicate regulation of this type in the US.
The Washington State Privacy Act and New York Privacy Act (NYPA) both failed to pass their legislative sessions last year, but there is speculation that the NYPA will be reintroduced, with the aim of having it implemented by 2021.
Some of the NYPA’s provisions are considered rigorous and ground-breaking, even by the CCPA and GDPR’s standards.
With all these new regulations and potential penalties being introduced, how are businesses expected to comply? We asked a few experts for their thoughts.
Disguising data to comply with regulations
As part of the EU’s and Californian legislation, the de-identifying or anonymising of data became an important regulatory standard.
This means that data must be completely striped of its identifying aspects. To summarise the compliance requirements of GDPR, CCPA and NYPA’s attitude to collection of personal data, the personal data must be de-identified and its re-identification must not be possible or encouraged.
Although each piece of legislation varies, each share a similarity, de-identified data is not considered personal data.
Guy Cohen, head of policy at Privitar discusses the difficulties of juggling compliance with two major pieces of legislation and the potential introduction of a third.
“While both laws [GDPR and CCPA] place an emphasis on the importance of pseudonymised or de-identified data to protect consumer privacy. One of the few ways the NYPA is arguably easier to achieve is that its definition of de-identified data appears to be easier to achieve than that of the CCPA or GDPR.”
Cohen seems to illustrate that with each iteration of this type of law there will be more clarity and achievable definitions.
The de-identification of data is an important future project for businesses interested in avoiding potentially crippling fines.
“In the future, developing a comprehensive and effective de-identification functionality may be the single most important step an organisation can take to manage privacy risk, and thereby comply with the laws of today and tomorrow,” says Cohen.
The California Consumer Privacy Act vs. GDPR: what UK businesses need to know
Problems with compliance
There are still potential pitfalls for businesses looking to analyse personal data.
Aoife Sexton, chief privacy officer at Truata sees issues with the process of de-identifying data as an integrated aspect of a wider data collection.
“Anonymising personal data can provide an effective method for businesses seeking to limit the risks when analysing personal data. However, academic research has demonstrated how easy it is to re-identify an individual from a so-called “anonymised” dataset when the dataset is released at row level,” she says.
“This is because all too often poor anonymisation practices have meant that only obvious identifiers like name, address, etc. have been removed or obfuscated from a data set before it is released making it still possible to re-identify individuals by linking other less obvious identifiers remaining in the data set. A better approach would be to have a separate expert organisation independently carry out the anonymisation and only release aggregate insights.”
Sexton sees a solution by outsourcing the de-identifying process to partner companies.
“By finding a trustworthy partner to handle data anonymisation, organisations can reap the benefits from data analytics and derive valuable insights – but importantly, as the output will be genuinely anonymised, organisations can retain the trust of their customers and build confidence in their brand.”
Changes to data collection
Sexton also tries to identify how companies will have to change their data collection tactics, considering the CCPA and the potentially upcoming NYPA.
One solution that Sexton sees as both recapturing customer confidence and bringing companies into line with legislation is to provide more transparency about the data collection process.
She explained: “The game’s up for companies and organisations in terms of the way they collect, use and sell personal information.
“Companies need to take a comprehensive approach in order to achieve regulatory compliance and still derive value from their customer data. Being transparent with consumers about the data they are collecting and how they are using it are essential steps to take.
“The proliferation of data and use of data by businesses have understandably sparked massive concerns among consumers regarding how companies are using their personal data. In fact, 60% of customers are uneasy with companies using their personal data for analytics.”
How can businesses navigate the increasingly complex EU compliance landscape?
Stronger regulation to come
Current CCPA regulations may become more stringent, according to Grant Fritchey, product advocate, Redgate Software.
“Already dubbed ‘CCPA 2.0’, the California Privacy Rights Act is being championed by the same campaigning group that forced the introduction of the CCPA and demands a lot more than the CCPA in terms of protecting consumer privacy. Expect fireworks if it makes it onto the November ballot,” he warns.
Fritchey expects the NYPA to be on the agenda this year, which could see even stricter restrictions and requirements placed on businesses than the current CCPA.
He explained: “The New York Privacy Act which failed to make it on the legislative session last year is likely to be introduced again in 2020.
“It goes further and deeper than the CCPA and even the GDPR in some respects, requiring consumers to opt-in to the sale of their personal data, rather than opt-out.
“The act will no doubt be revised as it makes its way through the state senate, but even its detractors are urging for it to be closer to the terms of the CCPA, reducing the burden businesses will face in complying with both.”
Introduction of the NYPA, with its different stipulations and requirements, may make the attempts of businesses trying to comply with the CCPA that much more complicated as they will be expected to comply with both.
Fritchey also says that he has seen this precipitate a change in how companies and consumers view data.
“Common themes are emerging and companies need to start thinking about identifying and classifying the personal data they hold, putting in place measures to protect it, limiting its use to the purpose it was collected, and asking for consent to collect it in the first place.
“That’s a big shift in the way they currently handle personal information and it changes their position from being the owners of data to being the guardians of it.”
GDPR vs Australian data privacy regulations: 5 key differences
Similarities and differences of current NYPA and CCPA
Toni Vitale, partner and head of data protection at JMW Solicitors, explains the differences between how the NYPA might be enforced and why these elements of the bill could make it more severe than the CCPA.
He comments: “The New York Privacy Act bears some similarity to the California law. Like the CCPA, it would allow people to find out what data companies are collecting on them, see who they’re sharing that data with, request that it be corrected or deleted, and avoid having their data shared with or sold to third parties altogether.
“But the New York bill, was potentially tougher in significant ways. While the California law leaves enforcement to the state’s attorney general, the New York Privacy Act would give New Yorkers the right to sue companies directly over privacy violations, possibly setting up a barrage of individual lawsuits.
“Perhaps the most ground-breaking thing the new bill would have done is introduce the legal concept of an information fiduciary. Theoretically, the fiduciary concept says that once a company is given consumer data, it necessarily takes on the duty to exercise loyalty and care in how it uses that information.”
Potential costs of legislation changes
With Maine and Nevada also having passed new privacy legislation or amendments to existing laws, it seems that this type of regulation is not going away in the future.
One estimate placed GDPR compliance costs at $7.8 billion, just for the 500 largest global firms.
It is up to companies to anticipate and prepare for new laws on data collection. Fines for those not conforming to the regulations can be hefty and could significantly damage the reputation of an organisation.
The potential for individual lawsuits could also create a serious problem for companies if the NYPA is introduced as is.
Vitale says: “The New York Bill has, however effectively been shelved until 2021 at the earliest and there was a fear that the personal right of action would have clogged up the courts with multiple class and individual actions.”