Whether you’re referring to personal or professional information, keeping data private and confidential could be what stands between you and a cyber security attack—or a legal battle.
Either way, privacy acts are necessary for enforcing these requirements, and two of these policies have started shaping the landscape of cyber security legislation.
Note: There are a lot of acronyms associated with cyber security legislation, but I’ve done my best to keep this blog post from being just an alphabet soup of acronyms.
What do I need to know about the two main pieces of data privacy legislation?
The two primary legislative pieces we’ll cover in this blog post are the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). Both give consumers more control about how businesses use their data.
The CCPA, which went into effect in January 2020, secures the following privacy rights for California consumers—even businesses outside of California must comply with the regulation if doing business with California residents.
It includes the following provisions.
- The right to know about personal information being collected and how it is used/shared.
- The right to delete personal information (with some exceptions, however).
- The right to opt-out of the sale of their personal information
- The right to non-discrimination for exercising their CCPA rights.
What type of personal information is covered by CCPA?
Information like your name, social security number, email, product purchase history, browser history, geographic data, fingerprints, and other types of personally identifiable information (PII) that could help create a profile of your identity is covered by the CCPA.
It does not include publicly available information like real estate, professional license, or government records.
The General Data Protection Regulation (effective May 2018) affects how data is stored, transferred, and processed. It is an EU regulation, but if you’re doing business globally, it’s something to pay attention to. For some, it may even mean making changes to your network and cyber security strategies.
Under GDPR, data gathered must be:
- Processed lawfully, fairly, and transparently
- Collected for specific, explicit, legitimate purposes and not beyond the scope of that use
- Adequate, relevant, and limited only to what is necessary
- Accurate, and when necessary, kept updated
- Kept no longer than necessary, otherwise archived appropriately
- Processed securely and protected against accidental loss or damage.
What happens if CCPA or GDPR are violated?
There are repercussions to violating either of these laws, which are detailed below.
For any unintentional violations of CCPA, you can expect to pay $2,500. Intentional penalties jump to $7,500.
Violations of GDPR are much more substantial—you can be fined up to 20 million Euros, or 4% of your annual worldwide turnover. Whichever is greater.
Those are steep fines! Do you see why being aware of and following cyber security and data privacy regulations is important for your business?
What other pieces of data privacy and cyber security legislation should I pay attention to?
The two regulations mentioned above aren’t the only ones out there. Several are making their way stateside, with New York, Nevada, and Maine being just a few states adding to the list.
They aren’t just limited to data privacy either, but cyber security awareness in a broader sense, too.
Passed in March 2020, the state of New York followed California by passing the “Stop Hacks and Improve Electronic Data Security,” or SHIELD, Act.
Under this act, businesses are required to designate and coordinate a data security program. The initiative must include:
- Employee training
- Risk assessment
- Vetting providers
- Protecting private information
Executive order on cyber security
In May 2021, President Biden passed an executive order on cyber security. It took a further step in the right direction for the federal government and its data and systems—offering insight on what businesses will want to focus on going forward, too.
You can read more about the new requirements included in the EO on our blog.
The wheels of government may turn slowly, but cyber threats evolve every single day
The important thing you can do is stay ahead of them, no matter what legislation is out there.
What do you think we’ll see in cyber security and data privacy legislation in the next two years? Tell us in the comments!