StrongKey - Sep 11, 2018

GDPR and CCPA: Data Privacy Is Ready for Its Close-Up

Since May, the “GDPR effect” has been most visible through a myriad of emails from your vendors or favorite companies assaulting your inbox, assuring you of how much they care about your privacy. A few asked for you to provide explicit consent to their new privacy policies so they could stay in touch. Others, especially U.S. companies, merely sent an email along the lines of, “We’ve changed our privacy policy and if you don’t do anything (i.e., unsubscribe) we assume you agree.” This is called implied consent, and it does not apply for GDPR. Many companies didn’t make the effort to comply at all.

What happens next?

Unfortunately for the businesses with U.S.-only consumers, delaying compliance is still a risk. The California Consumer Privacy Act (CCPA) has already been passed. California law tends to be a harbinger of things to come—in 2003, they passed the nations' first Breach Disclosure law. While there is still no federal law on breach disclosures, it mandated the disclosure of breaches involving 500 people or more, and there are more than 40 states with disclosure laws on their books (thanks to federal inaction).

Given GDPR, the recent Facebook mess, and the other massive data breaches in 2018 alone, it’s possible that CCPA and GDPR are just the beginning of what will eventually become a global standard for data protection. Why? Business. The pressure is ever-increasing to protect data, meaning we are likely to see an uptick in individual state data protection laws here in the U.S. and more outside the U.S. and the EU.

Companies will find it cheaper to comply with one global policy that mimics GDPR instead of having to comply with a mishmash of more than 40 inconsistent state laws and GDPR (not to mention other countries’ laws). So, despite GDPR applying to only EU residents, and CCPA applying to only California residents, the types of restrictions on data acquisition, storage and sharing are likely to become an international business problem, not solely a European one.

Do these laws actually make the internet a safe place?

These laws were designed to make companies more aware of what consumer data they have, where they keep it, and how they can be more responsible with it. The most obvious result of these privacy laws, however, is encouraging transparency and information about how/when/where data is used and stored so the consumer can be more responsible with sharing their data—at least for now. In fact, according to a study conducted by researchers at the Ruhr-Universität Bochum, Germany and the University of Michigan, Ann Arbor, USA, since GDPR went into effect, the most notable change has been “the rise of cookie consent banners, which now greet European web users on more than half of all websites, informing about the websites’ cookie practices.” They go on to note that “While seemingly positive, the increase in transparency may lead to a false sense of privacy and security for users.”

What about StrongKey?

At StrongKey, we believe your data should be safe. It’s what we do every day. Giving a false sense of security just isn’t our thing. Do we have a cookie consent banner? Yes. It links to our privacy policy, which we encourage you to read and then decide for yourself if we can cookie you or not. Making sure your data remains uncompromised is StrongKey’s mission. Do we keep sensitive information stored anywhere not directly secured by us? No. We secure the core, effectively making data breaches irrelevant.

Worth the wait

We are very aware that GDPR went into effect back in May, and it is now September. The reason we are behind the curve on GDPR compliance isn’t because we wanted to delay the inevitable but rather because we wanted to get it right. We re-evaluated our company policies as a whole and decided to wipe the slate clean.

StrongKey only wants prospect or partner data available to us for business decisions and content development intelligence (with explicit consent, of course), and we keep our customer data stored securely onsite for internal use only, with highly controlled access. Your data security is the most important thing to us, so we feel comfortable knowing we are working toward a GDPR- and CCPA-compliant system with policies in place to keep it that way.

To our customers, prospects and partners, we hope this gives you a stronger sense of security. To any other businesses struggling to comply with GDPR or CCPA, we hope this encourages you to move forward and protect consumers’ data, the right way. We are always happy to provide a free security assessment.

Click here to watch a simple breakdown of GDPR's most complicated encryption requirements.