GDPR Compliance In The USA And 7 Ways To Prepare Your Business
While the scope and territorial reach of European Union’s GDPR is broader, States have started the process of “falling in line” with GDPR.
Until the Federal Government can reach bi-partisan grounds on a single law for the whole country, we are going to see more states being inspired by GDPR and one another. In varying degrees, New York, Massachusetts, New Jersey, Maryland, Oregon, Texas and Washington have already begun the avalanche of privacy and data breach notification laws.
Perhaps no state has to taken the steps the California Consumer Privacy Act (CCPA) has to come close to GDPR. Enacted in 2018, it creates new consumer rights with respect to how organizations access, delete and share personal information (portability). The law creates prohibition of selling personally identifiable information of children under age 16 and contains further parental consent for children 13-16 years of age.
The CCPA does not impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain “reasonable” security practices and procedures arising from existing California law.
Who must comply with the CCPA?
- Any for profit company domiciled or conducting business in California with gross revenues greater than $25M are subject.
- Any company who annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes
- Any company who derives 50 percent or more of its annual revenues from selling consumers’ personal information.
- Any entity which controls or is controlled by a covered business.
- Any entity which shares common branding with a covered business, such as a shared name, service mark, or trademark.
- Third parties must also give consumers explicit notice and an opportunity to opt out before re-selling personal information that the third party acquired from another business
Penalties for Non-compliance:
- Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident.
- California AG may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional.
The State of Nevada followed with a new law which goes into effect Oct 1, 2019 with a compliance deadline of Jan 2020. It will require website operators to honor opt-out procedures. Compliance can either be an electronic mail address, a toll-free telephone number, or a website through which a Nevadan can submit a request.
Unlike the CCPA, Nevada’s law doesn’t apply with companies that collect personal information offline.
Who must comply with the new Nevada Law?
Operators, or anyone who:
- Owns or operates an Internet website or online service for commercial purposes;
- Collects and maintains covered personally identifiable information from consumers who reside in Nevada and use or visit the Internet website or online service;
- Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof, [or] purposefully avails itself of the privilege of conducting activities in this State.
Penalties for Non-compliance:
- Nevada AG may bring actions for civil penalties of $5,000 per violation, but consumers are not able to take a private right of action
7 Ways To Prepare Your Business For GDPR
- Insurance – If you have an insurance policy it should undergo an independent review to ensure your organization is covered for non-compliance claims. Most of the older policy forms (2018 version or older) are obsolete and coverage will not trigger. Further, if you have cyber insurance as part of a Business Owners Policy (BOP) or part of large property policy it will NOT provide coverage for most claims arising out of CCPA.
- Update Privacy Disclosures – must be visible by Jan 1, 2020 and updated annually. A website is most likely the “best” way to comply.
- Create a Homepage Privacy Link – must be visible by Jan 1, 2020. A company’s website should clearly create a homepage titled “Do Not Sell My Information”
- Develop a Process for Handling Consumer Requests – starting on Jan. 1, 2020, covered entities must be ready to respond to consumer requests about their personal information that are allowed under the CCPA. These requests must be processed free of charge and within 45 days.
- Identify and Implement System Changes – Your IT department or outsourced provider needs to be aware and involved in the website changes required by CCPA.
- Strengthen Data Security – All companies, subject to CCPA or not, should be reviewing information and privacy policies as well as what type of data they have stored. There may be old data which doesn’t need to kept. Now is a good time to make those decisions.
- Employee Training – As with any process or protocol, once the systems are updated each employee should be trained on them. They should also be trained on how to respond or direct consumers and or customers.
Contact us if you have any questions about GPDR or want to discuss steps to prepare your business.
Upcoming Webinar – Social Engineering
When: January 29, 2020 12:00 PM Eastern Time (US and Canada)
Topic: Social Engineering Webinar: How Criminals Exploit Human Behavior and How to Protect Your Enterprise
Register in advance for this webinar:
After registering, you will receive a confirmation email containing information about joining the webinar. The event will start promptly at 12 p.m. ET.
Download our Cyber Security Assessment PDF to learn more about the assessment and benefits.
We hope to see you there. In the meantime – take a minute to drop any questions about this webinar to us at firstname.lastname@example.org.
Brian Heun is the Sales and Relationship Manager and a Partner at KMRD Partners Risk & Insurance Solutions, a leading risk management and human capital solutions firm based in Warrington, Pa.