The Coming Crackdowns: Why 2019 will be a Banner Year for Data Privacy
As each year draws to a close, Webroot conducts an unofficial poll of threat analysts, legal experts and industry veterans about their predictions for the coming year. This year’s responses ran the gamut from terrifying (a state-sponsored cyberattack on the critical infrastructure of another sovereign nation) to the hopeful (the establishment of a regulatory authority for IoT security).
One clear consensus that emerged, though, is that data privacy regulation will have its day in the spotlight in 2019. There were varying opinions on what form regulation would take, how it would be enforced to rein in the nation’s tech behemoths and how strict accompanying penalties would be.
But, again and again, the experts at Webroot predicted that crackdowns are coming.
The Right Climate for Data Security Conversations
As ire continues to build over Facebook’s handling of misinformation leading up to the 2016 U.S. presidential election, and how the company uses advertising data more broadly, regulators are increasingly discussing the possibility of a GDPR-esque bill to reclaim data privacy for American consumers.
In some sense, momentum is already building. This summer California Gov. Jerry Brown signed into law the Consumer Privacy Act. “GDPR Lite,” as it’s been called, contains some of the key provisions of its European counterpart. It requires that companies inform consumers what data is being collected about them, why and who it’s being shared with. Consumers can request their data be deleted at any time, and that it not be sold or shared. Data from anyone under the age of 16 can also no longer be sold without explicit consent.
What the regulation noticeably lacks, though, is GDPR’s teeth. While the Consumer Privacy Act allows consumers to hold corporations responsible to some degree for the misuse of private data, they can sue only for up to $750 in each instance, which the state attorney general can up to $7,500 as that office sees fit. It’s a far cry from GDPR’s 4 percent of annual global turnover or €20 million, whichever is greater. To really rein in the likes of Amazon, Google or Facebook, fines will need to increase.
An additional variable in the scope and severity of any upcoming data privacy regulation will be whether change comes at the federal level or is left up to the states. While it may be a moot point if the seat of Silicon Valley takes the lead, regulation at the federal level would come more swiftly and be more comprehensively binding.
What It All Means for Businesses
As businesses with customers in the European Union know, you don’t have to be a tech giant to be affected by new data privacy regulations. Like any transition, it can be bumpy. But there are ways to facilitate compliance.
An immediate takeaway if new legislation is signed in the year ahead should be the need to beef up cybersecurity. If you collect personally identifiable information, you will be held responsible for its use or misuse. Adopting a comprehensive, layered cybersecurity posture will be essential in preventing a ruinous breach.
Ongoing cybersecurity awareness courses will also prove incredibly useful during a transition period. Compliance courses for GDPR or new legislation will help ensure company-wide understanding and adoption, and potentially shield owners from fines and other penalties.
This guest blog is part of a Channel Futures sponsorship.