We have now passed a couple of years of GDPR enforcement, and today the California Consumer Privacy Act (CCPA) will also take effect.
The result of the former has been a net increase in data breach notifications across European businesses. One exception has been in the UK, according to a Linklaters report, which has seen an almost 20% decrease in notifications after a comparatively busier period during year one. This might be due to a case of over-reporting soon after GDPR began, followed by subsequent warnings against this excess by the UK data protection agency ICO. Hesitation among uncertain entities might account for the lower numbers. That includes a mere single fine in the UK in the past year, much less than their neighbors under GDPR.
What’s interesting is that these other European countries, especially France and Spain, have had the exact opposite trajectory, with increases of 97% and 58% respectively. Linklaters offers the explanation that organizations here might be more aware of their duties, or that these countries are still playing it safe and notifying everyone about everything. So it appears that different nations are still acting on different bars or thresholds when it comes to what they report to regulators. If GDPR was intended to bring uniformity, it still has a ways to go.
How CCPA will fare remains to be seen once implemented today. For businesses that collect California residents’ data, non-compliance for more than 30 days will be met with $2,500-7,500 fines per violation. On top of this and everything else in play, this November, another piece of legislation will be up for a vote. The California Rights Privacy Act (CRPA), if approved, would give people even more control over their data privacy, including power of restriction over the use of sensitive data like Social Security numbers, union membership, genetics, orientations…really just about any aspect of life you can think of, it sounds like. In addition, CRPA would shift enforcement power from the state AG to a newly created agency. Such a move would be an even stricter emulation of what Europe has going on with GDPR implementation and enforcement.
Considering how people can already opt out of certain data sharing practices under CCPA, it’s clear that the regulatory landscape is constantly changing. Businesses need to remain cognizant of their own policies, security and compliance if they wish to meet the challenges these new laws will bring.