California Privacy Act, EU eprivacy, GDPR….

September 17th, 2018 by Stephen Jones Leave a reply »

The California Consumer Privacy Act of 2018 still doesn’t have either the public awareness nor the multi-year time to prepare as the EU’s GDPR.
Nonetheless, it will have a similarly huge significant impact on organizations that do business in the state of California.

Why should you care? Well California is the world’s fifth-largest economy, so that means it affects pretty much everyone.
Businesses – including yours- have less than two years until the January 2020 compliant deadline

Organizations are constantly at risk of paying a hefty penalty for not complying with rules and regulations that dictate how they should operate and do business.
A recent research by the Ponemon Institute and GlobalScape entitled, “The True Cost of Compliance with Data Protection Regulations” concluded that the average cost of non-compliance is now $14.82 million annually (a 45 percent increase from 2011) and is 2.71 times higher than the cost of compliance.

This means organizations are better off making the necessary investments on people, process and technology to comply with Data Protection regulations than incurring the cost of non-compliance. It’s clear that the topic of compliance is broader than just Data Protection regulations and covers other global and regional regulations, industry-specific mandates and trading partner specific contracts.

The worry is conflicting standards and how to stay abreast of everything. Colorado is also bringing out similar legislation. The UAE has also signalled that it may follow GDPR. This major implications for companies in areas of contract, insurance of liability, training, master data management, software security, encyrption, back up, policies, administration …… and a lot more cost. This not going away and it easier to start now – a plan t0 shut the stable door only after the horse has bolted is not a strategy,

An even stricter privacy law, known as ePrivacy Regulation, is currently pending abroad. The law, was approved in the last quarter of 2017 by the European Parliament and is currently under review by the Council of the European Union. While the policymakers had hoped that the ePrivacy Regulation would enter into force on GDPR Day, this obviously didn’t happened. In a nutshell, the ePrivacy Regulation is lex specialis to the General Data Protection Regulation (“GDPR”). While the GDPR applies to all categories of personal data—hard copy and electronic—the ePrivacy Regulation will typically only apply to electronic communications data, a subset. The Regulation, if adopted, would cover not only traditional telecommunications operators and providers of electronic communication services but also “over-the-top” communications services

It requires explicit consent from users for all messaging services—things like Apple’s iMessage, Facebook’s WhatsApp, and Microsoft’s Skype—before companies can place tracking codes on their devices or collect data about their electronic communications. In other words, a company could only collect data or metadata about users’ communications online when they get their explicit consent to use it for a specific purpose. When someone declines to share their data, companies will be required to provide them with the same service as someone who consents. The law was scheduled to go into effect this year, but has been held up by negotiations.

The ePrivacy regulation is an update to the standing ePrivacy Directive, which was originally put into place to guarantee “right to privacy in the electronic communication sector,” according to the directive. The directive originally focused mainly on email and SMS messages, but the proposed regulation would also address data privacy in services like WhatsApp, Facebook Messenger, and Skype, along with Internet of Things (IoT) devices.
Additionally, the ePrivacy regulation will also protect metadata associated with electronic communications .

ePrivacy includes non-personal data. GDPR is laser-focused on the protection of personal data, but the ePrivacy regulation is focused more broadly on the confidentiality of communications, “which may also contain non-personal data and data related to a legal person,” the proposal states. The original ePrivacy Directive is often referred to as the “cookie law” because it imposed the need for informed consent before a firm could track an internet user with cookies. The regulation will add new clarifications and simplifications for the consent rule, along with other new tools for protecting against unwanted communication tracking and more.

Both GDPR and the proposed ePrivacy regulation reflect similar aspects of privacy, but they do so from the perspective of different legal charters. The basis for the ePrivacy regulation are Article 16 and Article 114 of the Treaty on the Functioning of the European Union. However, it also reflects part of Article 7 of the Charter of Fundamental Rights: “Everyone has the right to respect for his or her private and family life, home and communications.” GDPR, on the other hand, is based on Article 8 of the European Charter of Human Rights, which states: “Everyone has the right to respect for his private and family life, his home and his correspondence.” However, for ePrivacy, the proposal notes that the meaning and scope of Article 7 of the Charter of Fundamental Rights shall be regarded in the same way as Article 8 from the European Charter of Human Rights

Consent is just one of six lawful grounds for processing data under GDPR. If one of the other five grounds applies, consent might not be required.

The other five legal grounds are:
•Processing being required to fulfil a contract with a data subject.
•Having a legal obligation, the fulfilment of which requires you to process user data.
•Needing to process data to protect someone’s life.
•Processing being required to carry out a task in the public interest.
•Requiring data processing in order to protect your legitimate interests, or those of a third party (unless those interests clash with a good reason to protect user data).

If none of these other grounds applies then, clear consent must be given to process personal data for each specific purpose.

How you ask for consent forms a big part of the regulation. It must be presented with these features:
• Unbundled: No lumping consent for one usage of data in with another. This is particularly relevant to collecting data for marketing.
• Active opt-in: No pre-ticked boxes, with binary in/out options given the same prominence.
• Granular: Each type of data usage needs to be consented to separately.
• Named: All organisations involved in handling the data being collected must be listed by name, especially third-parties.
• Easy to withdraw: Withdrawing consent needs to be at least as easy as giving it.


Comments are closed.