The Evolving Data Privacy Landscape: GDPR, CCPA and Similar Data Protection Laws

Since the General Data Protection Regulation (GDPR) took effect in May 2018, companies around the globe have been struggling to understand and meet the standards of this regulation, while additional legislation around the world continues to evolve and new policies are passed into law.

Data privacy, protection and security have never been more important, or more confusing. “Companies need to be aware of legislations that are pending and on the cusp of being enacted, and they should be prepared to adapt quickly to the changing landscape of data privacy," advises DFIN's Chief Information Security Office, Dannie Combs. In this article, we dive deeper into some recent changes in the data privacy landscape, share resources that will help you stay ahead of the constant evolution and list out new legislations that are on the horizon.

The GDPR: A baseline for data privacy and global compliance

Lawmakers in Europe passed one of the strongest measures we've seen, so far, concerning the data privacy rights of citizens and residents, in a way that reaches far beyond their own borders. The European Union’s GDPR was the first regulation to make data security a worldwide priority and concern for leaders and customers alike.

The GDPR's intentionally broad reach, made it the pulse of the data protection and security industry, and compliance is a marker of a secure organization. While the regulation is mandated by the E.U., its requirements affect organizations that may not have operations in Europe. In other words, any entity processing the personal information for even a single individual who is a citizen or resident of the EU must comply with the regulation.

There are now more than 120 countries, two-thirds of the world, with national data-protection laws and that number continues to grow at a rapid pace.

Compared with past privacy regulations, the GDPR has more stringent enforcement mechanisms and carries larger fines for non-compliance. The financial penalties for data protection violations have increased exponentially, and even accidental data breaches that are not dealt with immediately will place organizations at greater legal risk than before. A study conducted by the Ponemon Institute, a research firm, and security company GlobalScape, found the annual cost of non-compliance to businesses runs an average of $14.8 million. The steep price tag of financial penalties can range anywhere from $2.2 to $39.2 million; it’s certainly pushing organizations to adapt and ensure they are compliant.

Under the GDPR, the concept of an individual’s privacy has shifted from simply a legal concern to a technology and security issue that demands attention from senior management and boards. These concerns continue to grow as governing bodies develop legislation, pass additional privacy acts and raise expectations around the world. There are now more than 120 countries, two-thirds of the world, with national data-protection laws, and that number continues to grow at a rapid pace. Staying on top of the changes is critical to the success of a company’s risk and compliance management program, as well as ensuring customer data and personal information is protected.

U.S. Data Privacy Laws are Sweeping the Nation

It’s important to recognize many of the same pressures that prompted the European regulation are growing globally, and rapidly in the United States. While the U.S. doesn’t currently have a general consumer data privacy law at the federal level, a few states come close to addressing consumer data privacy in the extensive way the E.U. does with the GDPR.

In the United States, one-third of states have either begun the legislative process or enacted a data privacy law, and there is no indication of this momentum slowing down. One of the more notable regulations in the U.S. is the California Consumer Privacy Act (CCPA).

The CCPA is a statute that was passed in 2018 and went into effect in January 2020. It has positioned California at the top of the list for the toughest data rules in the country. While the statute does have similarities to the GDPR, namely, both regulations give customers the right to access and/or delete their data and the right to opt-out of data collection, at a high-level there are a couple important differences to note that are specific to the CCPA:

  1. The CCPA does not grant consumers the right to correct or rectify incorrect personal data, while the GDPR grants this right.
  2. The CCPA asks that a privacy notice be made available on the website informing consumers they have a right to opt-out of certain data collection, while the GDPR requires explicit consent when consumers hand over their data.

For more information, the International Association of Privacy Professionals (IAPP), the largest global information privacy community, created a detailed and easy to follow “What to disclose and where to disclose it” for the CCPA. 

Increasing Numbers of U.S. Data Privacy Laws on the Horizon

What’s clear is this: the GDPR was the first building block in a much larger, quickly evolving landscape. As data privacy and data protection continues to sweep the globe this is not a movement to be overlooked.
It’s not surprising that after California passed their privacy act – currently identified as the most comprehensive, internet-focused, data privacy legislation in the U.S. – many other states have followed suit. These new legislations will undoubtedly, significantly impact the way organizations in the U.S. and abroad think about data privacy.

Below is a list of states with recently enacted legislation or have bills pending:

  • Nevada – updated privacy law – October 1, 2019
  • California – Consumer Protection Act (CCPA) – January 1, 2020
  • Maine – Act to Protect the Privacy of Online Consumer Information – July 1, 2020
  • Massachusetts – adding a CCPA-like bill to existing privacy law passed in 2010, which would create a comprehensive consumer privacy act – currently pending
  • New Hampshire – introduced on January 8, 2020, New Hampshire’s law is closely aligned with the CCPA – the draft bill’s effective date is currently January 2021
  • New York – New York Stop Hack and Improve Electronic Data Security Act (NY SHIELD) – March 2020; New York Privacy Act – would rival CCPA as the most comprehensive privacy act enacted – currently pending
  • Additional states with bills in the legislative process include: Connecticut, Florida, Hawaii, Illinois Maine, Maryland, Nebraska, North Dakota, Texas and Washington

What’s Next?

Beyond the United States, the two most populous countries in the world, China and India, are expected to have new data protections rules in place this year. Not to mention, other countries including Brazil, Canada, Japan and South Korea, may also pass, revise or make effective national privacy laws in 2020.

What’s clear is this: the GDPR was the first building block in a much larger, quickly evolving landscape. As data privacy and data protection continues to sweep the globe this is not a movement to be overlooked. Now is the time for organizations to put a greater emphasis on their practices and stay vigilant. Dannie Combs, chief information security officer, emphasizes the significance of being adept in the current climate. "There are a number of new legislations — on the cusp of passing or have recently become enforceable — that are demanding a change to the way consumer data is collected, used and secured. Developing a strong foundation of best practices around data privacy policies and technical architectures, including the next-generation technologies, are necessary to identify and mitigate today's ever increasing and complicated threats.”