Preparing for what’s now and what’s next in
Privacy is now a C-suite issue: US and EU regulators are imposing eye-popping fines and
obligations on companies that do not keep their promises or fail to secure personal data; near-daily
data breaches grab headlines and put corporate brands at risk; and sweeping new state and federal
legislation require changes to corporate operations.
Today, every company is a data company and every organisation must comply with a host of
changing data privacy laws.
Existing privacy laws
The 2018 implementation of the European Union’s General Data Protection Regulation (GDPR)
provided for a single set of data protection rules for all companies controlling or processing the data
of EU residents, regardless of where the companies are based. The stronger data protection gave
people greater rights and control over their personal data. The risk of noncompliance could be
severe. Companies found in violation of this new regulation, regardless of their location, could be
subject to fines equalling 4 percent of annual turnover or €20m (almost $24m), whichever is higher.
The California Consumer Privacy Act (CCPA), which went into effect on 1 January 2020, created
new consumer rights relating to the access to, deletion and sharing of personal information of
California residents collected by businesses.
Even if a company does not operate in the EU or California, its executives must be cognisant of the
important federal privacy and data security obligations arising from the authority of the Federal
Trade Commission (FTC) to prevent deceptive and unfair practices, set forth at Section 5(a) of the
FTC Act.
The FTC has been an active privacy and data security enforcer for many years and is ramping up its
privacy enforcement even further. The FTC has brought hundreds of privacy- and data securityrelated enforcement actions, covering both on- and offline practices and fast-evolving technologies.
Recent, substantial FTC settlements and fines
The $5bn Facebook settlement last year to resolve the Cambridge Analytica matter was the largest
privacy fine in the FTC’s history and the most significant action to date against any company. The
FTC mandated that Facebook must add an independent privacy committee, create a broad privacy
programme and engage in internal and external monitoring. The time period for the settlement is 20
In 2017, nearly half the American population had their personal information hacked from Equifax’s
enormous database in one of the largest publicly disclosed and most serious data breaches. After
outrage from consumers and hearings on the breach, Equifax ultimately settled with the FTC, the
Consumer Financial Protection Bureau (CFPB), and US states and territories for approximately
$575m and created up to $425m for a consumer restitution fund. Equifax has to implement a
comprehensive information security programme as well as engage in security auditing and reporting
New federal legislation on the horizon
As the collection, use and sharing of personal data grows in amount and complexity, and consumers
and businesses are increasingly required to navigate a tangled web of confusing, and often
inconsistent, data privacy regulations from various levels of government, there has been a clamour
for Congress to enact comprehensive federal privacy legislation that will give consumers more
rights, business more uniform obligations and the FTC increased powers.
Federal privacy and data security legislation is viewed by many as inevitable and could happen as
quickly as this year. And, even if an organisation is not subject to the GDPR or CCPA, additional
states are enacting new privacy laws.
The new proposed privacy legislation in both houses of Congress has many similarities to the
CCPA, including obligations about mapping data and giving consumers rights that cover how
companies may use and share customer and employee data. The current Congressional proposals
share an approach that will grant individuals the rights to know, correct, delete and get copies of
data that companies hold about them.
Federal privacy legislation has several goals. One is to provide consumers clarity and visibility into
companies’ data collection, use and sharing practices, as well as choices regarding these practices.
Another important goal is to provide a national, uniform set of protections and consumer rights
throughout the digital economy. Finally, it will strengthen the FTC’s enforcement powers, including
the ability to impose large fines on companies that fail to respect the new host of consumer rights.
How to plan for what’s now and what’s next
How should a company prepare for current privacy obligations and be on top of what is almost
inevitable? An organisation should begin this process now, because if it is inadvertently involved in
federal or state law privacy violations, the fines and penalties can be significant and regulators will
not acceptance ignorance as an excuse.
First, know what kinds of data your company collects and holds. You should be aware of who you
share the data with (such as service providers), why you are sharing data, what the recipient does
with the data, and what you are telling consumers about the data that you have collected. Even if
your organisation is not a consumer-facing company and believes that privacy obligations might not
apply, you may have personal data from other sources, such as clinical research, and you certainly
collect data about your employees, which may also be covered.
Second, determine who has access to the data, for what purposes, and under what terms they are
granted access. This includes employees and third-party service providers that process data or
provide other types of support to your business, such as marketing.
Third, determine what you are telling customers, employees and consumers about what data you
have and how it is controlled. Requests to acquire, store and use data should be transparent and
easily understood. A corporation must describe clearly its reasons for asking for data as well as
explain in an easy-to-understand fashion how long the data will be held and how it will be used.
Consent protocols must be reviewed and, if necessary, updated at collection points. An
organisation’s privacy policies must transparently and openly address the right of consumers to
remove or restrict the use of their data. Terms and conditions and privacy policies should be
accessible and be reviewed and updated if necessary. Finally, you may have to train employees
about how to handle covered data to ensure compliance with new obligations.
Some say that the US does not have a privacy law – a half-truth that executives believe at their
peril. The reality is that all companies already have basic privacy and data security obligations
under the FTC Act, many are covered under GDPR and CCPA, and additional privacy laws are
inevitable. The good news is that some basic steps to understand your data assets and uses will
prepare your company for today’s obligations and for what is coming tomorrow.