States Raise Stakes in GDPR-Inspired Privacy Laws

GDPR may be least of privacy compliance woes; here come state privacy laws.

Pam Baker

May 2, 2019

4 Min Read
Raising the stakes
Shutterstock

Leading the way in state GDPR-like privacy laws is the California Consumer Privacy Act (CPPA). But make no mistake, other states are quickly following suit. But several studies say that many companies are still struggling to comply with the EU General Data Protection Regulation (GDPR). So how likely are they to meet additional state mandates?

The International Association of Privacy Professionals (IAPP) says there are plenty of studies showing a frightening number of companies are struggling to comply with GDPR. One of those studies is an April 2018 Ponemon Institute survey sponsored by the international law firm, McDermott Will & Emery. That study found “40% expect to become compliant after the deadline” and “8% of companies were not sure when they will achieve compliance.

Schreiber-Mark_McDermott.jpg

McDermott Will & Emery’s Mark Schreiber

“We still have too little time and it’s a year later,” said McDermott Will & Emery Co-Chair, Privacy and Security Mark Schreiber, CIPP/US, in an IAPP report on GDRP a year later. “We expect 50% of covered companies are still in the process of GDPR compliance and it will likely go on for another couple of years.”

Now state laws are coming into the picture making it even harder for companies to comply with them all. Some say GDPR is the impetus for the recent rash of state privacy laws but it’s more a model than a motivator. Instead, it was rampant and hidden data collection and data sharing by social media giants that spurred outrage and a demand for more privacy protections in the U.S.

Houpt-Mark_DataBank.jpg

DataBank’s Mark Houpt

“The privacy law push started with the revelations of social media data sharing in 2017. The GDPR was a model for California law and may be a model for a U.S. national privacy law. But the real push was not from GDPR,” says Mark Houpt, CISO for DataBank.

The CPPA was the first of the state laws to appear on the scene. It will go live in a few months, on January 1, 2020, but the enforcement date is not until “until six months after the publication of the final regulations or July 1, 2020, whichever is sooner.”  Other state laws are following close behind such as the Washington State Privacy Act. It is not yet a law as it still has to clear the House. The Senate voted 46 to 1 in favor of the bill and no one expects any problem with it passing in the House either.

The IAPP conducted a survey to see where companies stood in terms of potential compliance with the looming CPPA. “Rating CCPA preparedness level on a scale of 0 to 10, the average response was about 4.75,” says the report. The biggest obstacle to compliance is “a lack of time and…

…bandwidth,” which is not surprising given GDPR compliance is sucking up both. However, CCPA is “heralded as the most comprehensive privacy law in the U.S. ever,” according to the IAPP and so it cannot be treated as an aside to GDPR compliance efforts.

The IAPP finds that privacy professionals are determined to protect their company’s reputation and are giving CPPA serious attention. Some are counting on some wiggle room in complying with CCPA while other companies hope to jump ahead using some of the GDPR work they’ve already completed.

“Not surprisingly, organizations that feel most comfortable leveraging their GDPR compliance efforts for CCPA compliance also tend to project earlier CCPA compliance dates, some as early as this summer. Meanwhile, organizations that are most likely to lack time and bandwidth and to struggle with the CCPA’s complexity report compliance targets as late as July 1, 2020 [the enforcement date], and beyond,” finds the IAPP report.

Failure to comply can be pricey in the way of penalties. Fines for non-compliance of the CCPA range up to $7500 per violation, as specified in Section 1798.155(b).

Read more about:

MSPs

About the Author

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, Linux.com and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like