What New U.S. Data Privacy Laws Mean for Business

This article series is underwritten by Symantec and went through our normal editorial review process.

The frequency and intensity of data breaches are on the rise worldwide. More than 4.5 billion records were compromised in the first half of 2018, a 133 percent increase over last year, according to Gemalto’s Breach Level Index. Numbers like these make consumers understandably wary of sharing their personal information with companies, and they also represent a significant risk for the world’s top firms.

The average cost of a data breach globally is $3.86 million, according to a 2018 study conducted by Ponemon Institute on behalf of IBM. But so-called “mega breaches,” in which more than 1 million records are compromised, can cost companies far more. The high-profile Equifax breach—which exposed the personal data of nearly 150 million U.S., U.K. and Canadian consumers—could reportedly cost the company up to $275 million. In its 2016 financial report, Target estimated $292 million in losses as a result of a 2013 data breach that affected roughly 110 million people.

As each of these stories unfold, the public becomes more aware of the breadth of information companies are collecting about them and grows more skeptical that those companies can keep their data secure. Over half of global Internet users are more concerned about their online privacy now than they were a year ago, according to a 2018 survey from the nonprofit think tank Centre for International Governance Innovation (CIGI). Only 9 percent of Americans believe they have “a lot of control” over the information that is collected about them, according to another survey conducted by the Pew Research Center, even as the vast majority feel it’s “very important” to be in control of who can access their personal data.

If social, financial and reputational incentive isn’t enough to stir companies to action, an increasingly robust regulatory landscape may force their hand. Most notably, the European Union’s General Data Protection Regulation (GDPR) became enforceable earlier this year. The GDPR is the world’s most stringent data protection standard to date, and it applies to all companies that serve European citizens—whether the company is based in Europe or not.

For years, privacy advocates called on U.S. lawmakers to implement similar measures to protect user privacy. Though the federal government has yet to pass a GDPR-like mechanism to protect all users’ personal information, new state-level protections carry broad-sweeping implications for U.S. firms.

California leads the way on U.S. data privacy protections

Fittingly, the state that pioneered the technology revolution is now among the first to mandate enhanced consumer data protections. Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 into law in June, which many say will create “the most stringent data protection regime” in the U.S. when it becomes enforceable in 2020.

The legislation will replace a ballot initiative that called for even stricter rules on companies. But sponsoring advocacy organizations like the nonprofit Common Sense and its media arm, Common Sense Media, say it’s a concrete step forward when it comes to safeguarding user  privacy and setting an example for the rest of the country.

“We sponsored the Consumer Privacy Act because we think it’s a good first step toward protecting Californians’ privacy and giving them control over all of their personal information,” said Ariel Fox Johnson, senior counsel on policy and privacy for Common Sense Media.

Specifically, the California law guarantees users’ right to know what data is being collected about them—and why—and allows them to opt out of the sale of their data to third parties. Children under 16, or their legal guardians, must opt in to consent to their data being sold. “Consumers in California will get more information, so they’ll have better awareness of what information is collected,” Fox Johnson told us.

Additionally, the law gives consumers the right to access and download their stored data, transfer it to a competing service, or even delete it, with some exceptions. It also forbids companies to treat customers differently based on whether or not they agree to have their data sold, and consumers are afforded the right to sue in the case of a data breach—in addition to fines levied by the state’s attorney general if a company is found noncompliant. “The key changes are better awareness and transparency, new rights to access ports and delete information and the right to say no—or, if you’re under 16, to opt in for the sale of information,” Fox Johnson explained.

Privacy laws take hold in states across the country

Over the past year, at least 11 additional states introduced new data protection standards or strengthened existing privacy policies, according to the global law firm Norton Rose Fulbright.

In May, Vermont passed the nation’s first law regulating data brokers—essentially companies that collect user data and sell it to third parties, such as advertisers. The law requires data brokers to register with the state and disclose whether users can opt out of the collection, retention and sale of their data. These companies must also ensure their data security protections are up to date and tell the state if a breach occurs.

Both Alabama and South Dakota enacted their first data breach notification laws this year—which require businesses to notify consumers if their personal information is compromised. With those new regulations on the books, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have now enacted some form of a data breach notification standard, according to Norton Rose Fulbright.

Additionally, states like Oregon, Colorado, Arizona and Virginia expanded their definitions of personal information and increased oversight on third parties. Others, including New Jersey and Rhode Island, are looking to go even further with sweeping privacy standards that mirror California’s. Fox Johnson expects this trend to continue as rising consumer awareness pushes lawmakers off the sidelines. “People are starting to understand more and more the various ways that companies can use and misuse individuals’ data, so I expect that we will see more privacy laws on the horizon,” she told 3p, adding that many state lawmakers are “looking to California as a model.”

What this means for U.S. companies

Virtually every major American company does business in California. Complying with the new law will require these firms to either change how they collect and handle all user data, or figure out a way to manage Californians’ data differently from everyone else’s. “That last option can be more expensive for companies, and could disgruntle non-Californian customers should they be given fewer data privacy options,” Dipayan Ghosh, a fellow at New America and Harvard University’s John F. Kennedy School of Government, wrote in the Harvard Business Review.

With similar standards in the legislative pipeline across the country, companies would be wise to forgo a pathwork solution in favor of meaningful reforms that protect user privacy and work to rebuild consumer trust. “As a consumer advocate, I think companies should always do what they can to protect user privacy, whether or not they’re required to do so by law,” Fox Johnson said. “And as consumers are growing more aware of privacy risks and more concerned about privacy, businesses are seeing a value-add in doing the right thing.”

Indeed, more than 60 percent of business leaders whose companies were early adopters of the GDPR say they’re embracing the European regulation as a business opportunity rather than an impediment, according to another IBM survey. Thirteen members of the Forbes Technology Council, a community for senior-level technology executives, offered similar feedback about the California regulation.

“After endless creepy pop-up ads, consumers are savvier and more suspicious than ever,” Elizabeth Duke, EVP and chief marketing officer for the facilities management software company iOffice, told Forbes in August. “Now that the genie is out of the bottle, we expect these laws to get tighter and more consumer-focused. However, it may take local legislatures, which are less tech-focused than California, more time to pass new laws.”