Last week, Apple’s CEO Tim Cook made headlines with a passionate and forceful speech in which he called for sweeping digital privacy laws in the US. He warned that the collection of massive amounts of consumers’ personal data by companies is detrimental to society, and brought up an important discrepancy between knowledge and the lack of a respectful, mutual relationship between companies and their consumers.
Consumers’ Knowledge of Their Privacy Rights — And Their Lack Thereof
While consumers are increasingly aware of the risk to their private information like passwords and credit cards, and that some companies might not be honoring their privacy rights, it’s also clear they do not quite understand what these rights are — or how they can exercise them.
Businesses bear a responsibility to consumers. Companies must be vigilant in incorporating both privacy and security protections into their design and quality assurance practices. They must also create policies, training programs and automated controls to prevent and monitor appropriate access, use and protection of sensitive data —whether they are regulated or not. This will not only help mitigate the risk of regulatory penalties and consequences, but it will also prevent unnecessary erosion of employee and consumer confidence in the organization as the result of a data breach.
However, outside of protecting systems from hackers, companies have an additional obligation to act as good corporate citizens. This includes not just protecting their customers’ information, but also communicating clearly with them about how their information will be used, stored and protected. Regulators around the world have made it clear that giving is not the same as taking — meaning just because consumers give a company their private information, companies do not have the right to take that information and use it any way they see fit.
Instead, companies must clearly communicate what they plan to do with the private information consumers provide them with. And, if they change those practices, they must notify consumers and give them the ability to again choose whether to submit or withdraw their data.
Related Article: Will There Still Be Marketing After GDPR?
Where Does a Federal Privacy Law Fit Into All of This?
Ever since GDPR was implemented and The California Consumer Privacy Act (CCPA) was introduced earlier this year, there has been an increased push for federal data privacy legislation. The CCPA in particular is a major step toward a federal privacy law, as California’s new law is without a doubt the strictest privacy bill in US history and provides consumers with new rights that are very similar to the rights that GDPR granted to European residents earlier this year.
By moving so rapidly to enact the law, California demonstrated to other states — and even countries — that privacy is a top priority for both citizens and legislators who want to be on the right side of history. As a result of the positive response and growing popularity of this law, it’s likely we will see some form of federal privacy legislation implemented over the next few years. There’s even a strong possibility that some sort of federal privacy law could preempt efforts from states following California’s lead to create their own data privacy and compliance laws.
Get a Head Start in Complying with a Potential Federal Law
Because the possibility of a federal privacy law is so strong, businesses may consider getting ahead of the game and begin preparing for it now — or at the very least, lay the groundwork for complying with the California Consumer Privacy Act, if they’re impacted by it. While the CCPA isn’t going into effect until January 1, 2020, and could potentially be amended before its implementation date, the impact on companies will likely be immediate. Businesses should start preparing for it now.
As we saw with the implementation of GDPR, building a comprehensive privacy program that addresses a sweeping regulatory change consumes both time and resources. It’s no small undertaking. In fact, it requires a major shift for many companies, even those with a privacy program in place. New obligations for CIOs, CISOs and businesses as a whole means if you put off preparing for the impact of the law until the official implementation year or date, in many cases, you'll be too late.
Remember that compliance is a journey, not a destination. Whether an organization is subject to external regulatory compliance from an outside source (such as a government agency, statute or law), or seeks to comply with its own organization-specific mandates and policies, compliance requires not just conforming to the outlined regulations, but also proving your organization has done so.
This is typically achieved through the development of organizational policies that map out the expected behaviors. The real challenge, however, comes from the intersection of policy and practice. Regardless of the source of the mandate, all organizations must decide how to enforce the policies and measure their effectiveness.
Companies often make the mistake of carving out individual teams that are responsible for privacy and security. However, data protection is everyone’s job. Hackers only need to be right once to gain access to your information, while your security team needs to get their defenses right every time. By making security the job of every employee and building out top-down support starting with executives, you will create a true culture of compliance and have an army of employees to protect your data — meaning hackers will have a much harder time getting ahold of your company’s information.
At the end of the day, Cook’s speech last week was a wake-up call for all professionals, consumers and businesses who are failing to pay attention to the current privacy crisis taking place in our society. By bringing these issues to light and demanding more comprehensive U.S. federal privacy legislation, Cook reignited an important conversation about consumers’ privacy rights and moved the needle further toward what now seems like an inevitable federal privacy law.