It’s October. That means it’s National Cybersecurity Awareness Month, which emphasizes personal accountability and the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. This year’s theme – Own IT. Secure IT. Protect IT. – puts the focus on topics such as citizen privacy, consumer devices and ecommerce security.
To protect their privacy and security, individuals need to understand their rights and recourses. That is a challenge in today’s dynamic technology and regulatory environments.
The good news is that individuals are gaining more control over the ownership of their data. And that will enable people to take a more active role in protecting their privacy.
GDPR set the stage for legislation in the U.S.
The General Data Protection Regulation is the most high-profile development on the personal data front. GDPR, which took effect in May of 2018, gives European Union residents more control of their personal data. Under GDPR, businesses:
- can only collect data required for the efforts to which people have agreed
- must explain why they collect the data that they do
- have to disclose with which other organizations they share users’ personal data
- are required to alert EU residents within 72 hours of a breach impacting their data
- need to correct, delete and/or provide lists of their data at their customers’ request
GDPR – and the Equifax breach and the Facebook-Cambridge Analytical scandal – have prompted legislators and regulators elsewhere on the planet to address cybersecurity and personal data privacy, too. The California Consumer Privacy Act was one of the new regulations that emerged as a result.
California’s new consumer privacy act is nearly here
This ground-breaking law takes effect Jan. 1, 2020.
It applies to academic, biometric, employment, geolocation and internet browsing data. It also impacts data indicating what products individuals have looked at or purchased, as well as inferences drawn to create personal profiles indicating preferences.
The CCPA will:
- give California residents the right to demand that companies disclose what personal data they have collected about them
- enable Golden State consumers to ask companies to delete their personal data
- allow individuals there to forbid companies to share personal data with third parties
The CCPA applies to companies that do business in California. That includes companies with more than $25 million in gross revenue, businesses with data on more than 50,000 consumers and firms that make more than half of their revenue selling consumer data. It also covers out-of-state merchants that sell to California residents or display a website in the state.
Some law and privacy experts actually expect CCPA to have the effect of a national law. Their thinking is that this will happen by default because companies will find it easier to apply CCPA nationwide than to create separate systems for compliance.
There’s also a push for a national personal data privacy law
That notion, and the fact that other states might follow suit, greatly concerns companies whose fortunes are tied to personal digital data.
Many technology organizations have lobbied aggressively for the creation of a federal privacy law.
Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, commented: “It’s clear that the strategy here is to neuter California for something much weaker on the federal level. The companies are afraid of California because it sets the bar for other states.”
How this will all ultimately play out remains to be seen. But at least one report suggests it’s unlikely a federal privacy bill aimed at preempting state law like the CCPA will come before Congress this year. Meanwhile, CCPA appears on track to take effect at the beginning of the new year. And at least one thing is for certain: Cybersecurity and personal data privacy remain in the spotlight well beyond National Cybersecurity Awareness Month and into the year ahead.