Just as I was settling into a relaxed mode, whereby I was about to spend the summer watching soccer, waiting to see the first GDPR related law-suits and fines, legislation over privacy took a new step forward, in California.
bill, slated to come into effect on 1 January 2020, focuses on data privacy protection and is, to date, America's most far-reaching law to give consumers more control over their personal data. It requires companies to be more transparent with their consumers on how they treat their data, and grants customers the following rights:
- to know what data is being collected on them; and to consent to their data being sold to third-party;
- to access, download or transfer their personal information;
- to compel companies to delete private data that companies collect on them
Yet, the interesting part of this law is not so much about the fact that some of its content is inspired from the GDPR, but rather how deeply it will shake things up for American companies.
An American or a Californian privacy bill?
Indeed, the extent of the bill's applicability is of interest. Even though, by law, organizations need only focus on Californian citizens, are we really to expect that they will segregate their data to that level of precision? I mean, wouldn't it be easier for them to just apply the highest privacy standard for all their customers, instead of combing through their data to isolate Californian users and then maintaining different data sets?
And what about the PR disaster that would result should it be revealed that not all US citizens' data is treated equally?
Transparency and Practicality
Segmenting data for compliance reasons is already practiced by most organizations, as they need to comply to more than one regulation – whether for privacy, security or book-keeping purposes with PCI, HIPAA, or Dodd-Frank. For this reason, NICE has put together the
Compliance Center so that IT users can easily tag and retrieve data, as well as automate the management of compliance policies.
From a technical perspective, the Compliance Center users can tag the customers data in such a way that enables the system to apply different policies for Californian customers only. Yet, it seems preferable to extend best practices across the whole customers base. Not only for PR reasons, but also because the bill is likely to extend to several states in the near future.
Our customers who have adopted the Compliance Center for GDPR and other privacy regulations, have chosen to apply the requested policies for data deletion requests for all their customer base. It is common practice to apply the most stringent regulation to ensure compliance instead of taking risks. This is also what we would recommend to our US users.
Despite the political climate, it seems privacy related regulations are gaining momentum in the US, and it is a trend that enterprises should be aware of. At NICE, we seek to make it easier for organizations to be compliant, with mission-critical solutions such as the
Compliance Center. The latter offers dedicated packages for specific regulations ranging from privacy to
PCI and evidence keeping, making sure our customers are covered no matter what the future holds in terms of regulatory requirements.