July 10, 2018

Is GDPR Coming to America?

At our inaugural Compliance Summit earlier this summer, we hosted several panels across a variety of topics and sectors. Regardless of industry or niche, there was a common theme to the day’s conversations: General Data Protection Regulation (GDPR). The consensus was that GDPR is a game changer—and not just for the EU.

Normally when we have a new regulation that raises the bar as GDPR does, there is a wide range of disparate views expressed about its importance, impact, and the like. With GDPR, however, opinions have been surprisingly similar: it is by and large a Big Deal. Some of the core tenets expressed include the following:

  • GDPR is wide-ranging legislation that will impact not only every business in the EU, but will likely have far-reaching effects in the US as well as in other countries conducting business with the EU.
  • GDPR affords consumers significantly more control and protections over the collection and use of their data than existing standards allow.
  • Data protection under GDPR is tougher and fines for non-compliance are significantly more onerous than like-minded sanctions have previously been.
  • Most companies are playing catch-up and are not prepared or compliant with GDPR; in fact, many in the US do not even understand the implications for their businesses.
  • Lastly, the general belief was that GDPR (or something comparable) will take root in other jurisdictions as a result.

Relative to the last point, the state of California signed into law on 28 June 2018 a new major privacy bill that represents the most stringent confidentiality requirements of any US state. The law goes into effect on 1 January 2020 and gives US-based consumers unprecedented power over their data, including the rights to:

  • Know what data is collected on you;
  • Refuse to allow companies to sell your data;
  • Force companies to delete private data they collected on you; and
  • Prohibit the sale of minors’ data without prior consent.

Moreover, by exercising one’s rights under this new law, companies cannot penalize consumers and those companies will be held liable for violations and data breaches.

Until the new law goes into effect in 2020, there will undoubtedly be changes, clarifications, and compromises. But on the whole, this is a major leap forward for data protection and privacy in the US and we expect that it will be contagious. In the meantime, cybersecurity assessment and consulting firms stand to benefit as companies seek their guidance on how to best prepare, comply, and mitigate intermediate risks.