2018 was a seminal year for privacy. India drafted its first data privacy bill. The Facebook/Cambridge Analytica scandal broke, spawning nearly a dozen investigations by international and US regulators over Facebook’s data practices. Its executives were hauled before Congressional committees. Marriott suffered a data breach affecting up to 500 million customers—one of the largest breaches in history. These events all pale in comparison, though, to the implementation of the General Data Protection Regulation (the “GDPR”) in the European Union.
Why does an EU law have such a monumental effect on privacy globally? First, it doesn’t just apply to EU organizations. Second, as the strictest privacy law in the world to date, it has become the gold standard for privacy frameworks. Finally, for organizations with data that’s subject to a variety of privacy laws, some have adopted the GDPR as SOP for all their data rather than partition their data sets for disparate treatment.
GDPR is the legislative equivalent of an Instagram influencer. It should come as no surprise that its impact is being felt here in the US.
Since the GDPR became effective on May 25, 2018, privacy bills have been introduced over a half-dozen times in the US Congress and in 24 state legislatures. These bills come in all shapes and sizes, but two of the most common motifs these bills borrow from the GDPR are the privacy principles of notice and choice. Otherwise known as “this is what we’re doing with your data” and “here’s what you can do about it.”
The GDPR requires organizations to use data only in a transparent manner and sets out the disclosures organizations must make to data subjects, such as what data is being collected, how it’s being used, and with whom it’s being shared (Arts. 5(1)(a), 13, 14). It isn’t just the ‘what’ that matters for these disclosures, but also the ‘how.’ This information must be presented to data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” (Art. 12(1)). Make it easy to read and understand.
The vast majority of the privacy bills introduced in the states, and some of the federal bills, explicitly require organizations to be transparent about their processing of personal data by communicating their practices in a clear and meaningful privacy notice. Many of the bills require disclosure of, in addition to the details of the organization and collection and use practices, whether or not they are profiling data subjects, selling data, or conducting targeted direct marketing.
Action Item: Review your organization’s privacy notice against a checklist of the GDPR requirements. Some of them may not apply to your organization, but it’s a good place to begin evaluating how robust your policy is. Ensure your statements about your privacy practices are accurate by working with all teams that collect and use data within your organization. Finally, read your policy for clarity and tone. Is it easy to understand or does it require a post-graduate education to decipher?
Choice is a broad concept in data privacy, which boils down to “don’t use people’s personal data in ways they don’t want you to.” Practically, though, choice comes in a variety of forms in privacy legislation. The GDPR gives individuals choice about the processing of their data by requiring that, for uses justified on the basis of consent, that consent has to be an affirmative indication of a preference—like ticking an un-checked box—rather than opting people in by default. People also get the right to choose how their data is used by requiring that consent can be withdrawn at any time and giving individuals exercisable rights like the right to be forgotten and the right to object to direct marketing, to profiling, and to uses justified by legitimate interests.
Post-GDPR bills introduced in the US contain a variety of opt-out rights for individuals. For example, the California Consumer Privacy Act (the “CCPA,” adopted), Nevada’s new opt out privacy law (SB 220, adopted), and Illinois’ Data Transparency and Privacy Act (HB 3358, defeated) give residents the right to opt out of the sale of their data by covered businesses. The New York Privacy Act (S.5642, alive) goes further to give residents the right to opt out of any processing, not just the sale of data. The CCPA and bills in states like Connecticut, Hawaii, Maryland, Massachusetts, Minnesota, Pennsylvania, Rhode Island, Texas, and Washington give residents the right to request erasure of their data held by organizations.
Action Item: Determine your organization’s position on the right to be forgotten. Do you want to erase the data of anyone who requests it, regardless of the legal requirement to do so? Some organizations will act on such requests voluntarily because (1) data belonging to individuals who don’t wish you to have it isn’t very useful (they probably won’t engage with your organization) and (2) allowing individuals choice and control over their data goes a long way towards being a trusted institution. If you do want to respect people’s erasure requests, perform a data audit to determine all the places in your organization that data resides. Determine how you’ll want to receive these requests—via your website or email is always a good method. Finally, map out a process for actually deleting or obfuscating the data.
Note that whether these laws do or will apply to nonprofits depends on the specific law at issue (CCPA does not; NY’s recent bill and some federal bills may). Irrespective of whether or not a particular privacy law applies to your organization, if a particular privacy framework becomes the law of the land for for-profits, constituents will develop an expectation of treatment from all organizations they deal with. It’s important to understand how constituents want and expect to be treated to maintain a relationship of trust with them, and the practices I’ve outlined are a great first step in that direction.
Join Cameron Stoll for her bbcon session “Coming to America–How GDPR is Creeping into US Law and How It Will Affect Your Organization” to learn about other GDPR principles appearing in US legislation and how your organization should prepare. Register today!