A curly haired young woman standing outside of a school campus holding books smiling.

A glimpse into data protection laws like the GDPR and CCPA

Data protection laws like GDPR and consumer privacy are a hot topic, and for good reason. With over 40 billion gigabytes of data generated on the Internet each day and an increase of data breaches and data misuse it is important for businesses, consumers, and governments to take privacy seriously. It might be tempting to assume that some data protection laws don’t apply to your business or simply assume compliance, but failure to do so can be costly.

Image from Statista

The burden of protecting personal information and maintaining privacy online was once that of the user with businesses that suffered data breaches seeing few consequences. As businesses have started to offer more services online, they are now expected to maintain user privacy and safeguard data, with steep fines in place for those who fail to do so. According to a recent IBM study, the average fine for failing to comply with data protection laws is $3.86 million. It’s no surprise that 60% of small businesses go out of business within 6 months of a data breach.

User perceptions on privacy are changing. Similarly to how someone may choose one business over another for their policies and action on topics like the environment or animal testing, young buyers are also preferring to do business with companies that are privacy focused and will go out of their way to protect their personal information.

What is personal information?

Personal information is any piece of information that on its own or with another piece of information can be used to identify people. Generally, the following pieces of information are classified as personal information:

  • Name
  • Home address
  • Phone number
  • Email addresses
  • Race or ethnic origin
  • Religion
  • Age
  • Martial status
  • Medial, education, and employment history
  • Financial information
  • DNA
  • Identifying numbers like a social insurance number or driver’s license.

Different laws tend to have their own interpretation of what data is considered personal information. This is important for businesses to keep in mind, especially those that serve people outside of their home country. Some data protection laws apply to businesses even if they operate in a different country than where the law originated. A good example is GDPR, the law that originated in the EU and serves to protect EU citizens regardless of where they do business online.

What are the key protection laws merchants should know?

Unfortunately, there is no definitive list of data protection laws that you must follow. But it is a good idea to familiarize yourself with some of the common ones to get a better understanding of the impact these kinds of laws can have on your business.

Below is a list of some of the common data protection laws that might apply to your business. If you are still unsure about what laws apply to you it is best to speak with a specialist.

GDPR - General Data Protection Regulation

What might be described as the celebrity of data protection laws, the GDPR came into effect in 2018 replacing existing dated data protection laws in the European Union. The law laid the groundwork and set an example for what a strong and effective data protection law should look like with many other regions using it as a blueprint.

The European Union was created to bring together and harmonize the laws of different member countries in Europe, similarly, the GDPR was created to harmonize data protection laws in Europe. Despite applying to all countries in the EU, individual member countries are still able to construct their own data protection laws to amend or supersede the laws of the GDPR. Over 500 million citizens are protected by the GDPR.

The GDPR specifically addresses the relationship between controllers, processors, and users. A controller is someone that determines why data needs to be processed and how that will occur. The processor is someone that processes personal data on behalf of the controller. A good example of the difference between the two is that you as a business is the controller of personal data since you are determining which pieces of information you need to deliver value to your customers and then any service you use that takes advantage of that data is a processor.

A key feature of the GDPR is the ability for users to have more control over their data including the “right to be forgotten”. Users can request that all data a business has about them, if it’s no longer required to conduct business, is deleted. This part of the GDPR caused panic for many businesses when it was introduced as while there has been a lot of technologies and processes created to collect and store data, there were few effective ways to cleanly and reliably delete user data.

CCPA – California Consumer Protection Act

The California Consumer Protection Act came into effect in January 2020 and serves to protect the personal information of Californian citizens. It is the strictest data protection law in the United States and is comparable to GDPR.

Unlike GDPR which applies to any company worldwide that does business with citizens of the European Union, the CCPA applies to businesses operating in California that have annual gross revenues of over $25 million USD, or those that buy, receive, or sell personal information of 50,000 or more consumers or hose households, or businesses who earn more than half of their revenue from selling consumer personal information.

Under the law consumers have the right to know what pieces of information companies have gathered about them. Users have the right to delete personal information held by businesses and their service providers. Consumers can opt-out of the sale of their personal information and can instruct businesses to no longer sell their information. Consumers also are given the right of non-discrimination in terms of price or service where consumers exercise a privacy right under the CCPA.

Business that qualify have obligations under CCPA. They must notify consumers before they collect data, they must create procedures that respond to opt-out, know about, and deletion requests. There are timeframes within which businesses must respond to such requests. Before processing such a request the business must verify the identity of the consumer.

Read more about the CCPA in this fact sheet that was put together by California’s Office of the Attorney General.

How can merchants comply with data protection laws?

There are many ways that merchants can ensure that they comply with data protection laws. While each law will have its own set of requirements and recommendations that must be followed to comply with the law, it doesn’t hurt to take a proactive approach to data compliance. The Federal Trade Commission in the United States created a list of steps that businesses can follow to ensure user data is protected:

  • Take Stock - Businesses should know what personal information they currently have on users
  • Scale Down - Businesses should only capture and store information that is needed for the operation of the business
  • Lock It - Ensure that the user data that you have is secure
  • Pitch It - If you don’t need to keep data to operate the business dispose of it
  • Plan Ahead - Create a security plan to be able to respond to any security incidents.

The “Scale Down” step is likely to have the biggest impact on your business from a proactive standpoint. If you don’t capture personal information in the first place you won’t need to worry about it down the road.

Looking for more information about data protection laws?

There is a lot of information available online on data protection laws, privacy, the GDPR, and the CCPA. With so much written about this subject it can be difficult finding answers to specific questions or even knowing where to start. Below are some articles that are worth checking out.