First, a little backstory on General Data Protection Regulation (GDPR) for those who’ve been living under an analog rock… The GDPR was drafted and implemented to grant citizens of the EU control over their personal data. This law applies to all organizations, regardless of location, that conduct business in the EU, specifically the European Economic Area (EEA). The net of this legislation is that 1) no personal data of any EU citizen may be processed without the consent of the owner of said data and that 2) the consent to use personal data may be revoked at any time.
While we at Enilon love working with data, we also love our (and your) ability to choose how our personal data is used. So the GDPR idea, in principle, is a good thing.
Apparently, California feels the same way.
The timeline for this law is impressive. It began as an idea in 2016, became an initiative in Q4 2017, received official Title & Summary from the State of California in December of 2017, and was submitted formally in May of this year with almost double the required signatures. California Governor Jerry Brown then signed AB 375 into law on June 28th, paving the way for Californians to control their personal data in much the same way their European counterparts do by way of the California Consumer Privacy Act (CCPA).
The CCPA won’t go “into the books” until January 1, 2020. Even then, whatever form it currently takes will likely be altered as lawmakers on both sides of the argument expect to make amendments. One of the key points of contention is what constitutes “doing business in California,” i.e., what if your servers are located in Montana? What if you have a customer based in California? What if one of your service providers who handle data is based in California (or out of it?) and the list goes on… This is an evolving matter that merits close consideration by anyone who uses personal data in the US.
Which brings us to the question: Who is affected by this? Potentially everyone. Depending on the scope of the agreed-upon definitions, if the default is “any customer who resides in California” (12% of the US population as of 2017) then there is an assumptive implication that you’ll either have to 1) work with geographical/IP data to prequalify your users and serve them the appropriate data policies or 2) potentially default all of your data policies to this standard.
So, what are the implications for your business? Well, there is little to indicate that California won’t follow the enforcement model the GDPR has taken towards those who are found noncompliant, with the EU levying a substantial (to you and me) penalty against Google to the tune of $5B USD (pending appeal) this is on top of the $2.7B antitrust fine they levied against Google in June.
While most middle-market companies based in the US tend to conduct the bulk of their business in the US – and can likely afford to ignore GDPR – the whirlwind success of the CCPA signifies that an undeniable change is coming, and smart companies will get ahead of this instead of playing the costly game of catch-up.
If you’d like to have a conversation about how to go about attaining compliance for CCPA & GDPR, drop us a line – we’re listening!