Privacy is so essential, yet it seems that there’s a lack of enforcement. Look at the huge data breach of Equifax in 2017. More than 148 million people’s personal information was exposed in that breach. Social Security numbers, dates of birth, driver’s license information, credit card numbers, and phone numbers were part of this breach.
A year later, little has changed. While a bill passed that made credit freezes and thaws free of charge, Equifax dodged any fines. Instead, they had to improve their security.
It seems that every time you open the news, there’s been another breach. Marriott International and Facebook both were breached due to weak security in 2018. Facebook also faced another incident in 2019 when they accidentally uploaded 1.5 million Facebook users’ email contacts.
In 2016, the European Union decided to do something about privacy for people living in Europe. The Parliament passed the General Data Protection Regulation (GDPR). The goal was to have data protection requirements that all individuals, organizations, and companies must obey. Companies were given two years to become compliant. Those who didn’t face stiff fines. Enforcement of the GDPR began on May 25, 2018.
People wonder if the U.S. will ever do the same. There seemed to be hope when the House and Senate agreed to hear arguments about protecting consumer’s data. How soon it could happen is up for debate.
What Are the Data Protection Rules in Europe Now?
As of May 2018, any company, organization, or individual who displays a privacy policy has to make the policies straightforward. They cannot use legalese that can be confusing to others. Everything has to be easy to understand. If information is sent to companies outside of the European Union, the privacy policy must state so. It also has to be clear how and why the information would be used.
Businesses have to ask for consent to use a consumer’s data (name, email, etc.) or use cookies before they can use or apply it. If the consumer doesn’t click “yes” and simply clicks “x” to close the box, that does not count as consent. The consumer has the right to see exactly what information has been stored. They also have the right to have it erased.
If a consumer is using a site or service uses automated algorithms to determine an outcome, that has to be made clear. This is a common practice when it comes to instant loan or credit card approvals.
Some breaches aren’t shared with the public until months have passed. The GDPR bans this. If a business is breached, they must tell their users immediately.
If a company doesn’t obey these terms, it can be fined up to 4% of its worldwide revenue or as much as 20 million Euro.
Why is the U.S. Not Taking Similar Action?
One concern that’s been brought up come from some of the country’s largest companies. Google, Facebook, and other tech companies make a lot of their money monetizing data they collect. If consumers were able to block data from being collected or stored, these companies would lose a lot of revenue. That means a loss of jobs and money that’s put back into communities across the U.S.
That said, there have also been so many data breaches that people are realizing something needs to change. Some states are creating their own privacy acts instead. As more states take individual action, there may be less need for the federal government to jump in.
A secondary issue is that some privacy laws are already in place through other agencies. For example, the nation already has HIPAA protections in place to protect consumers from having their private medical information shared. Banks are required to keep your information private and face Securities and Exchange Commission and Federal Trade Commission penalties if they don’t follow regulations.
What States Are Creating Consumer Privacy Acts?
California is one of the first. Starting in 2020, Californians will have more rights to see exactly what information a company wants to know, where that information will be sold, and if they want that information stored.
California companies that make at least $25 million in annual revenues and make half of their income selling personal information or store records for at least 50,000 consumers must abide by these new rules in the California Consumer Privacy Act. Companies that are closely linked to businesses that meet those qualifications must also be in compliance.
On March 6, 2019, Washington state’s Senate passed the Washington Privacy Act. If it passes the house, this bill is patterned after the GDPR and offers many of the same protections. Vermont and Massachusetts are other states that are working to protect consumers.
How Can Your Company Be Proactive?
If you own a company that handles the private information of your consumers, make sure you’re being proactive. Have a team in place to protect your computers and servers from breaches and attacks. When it’s time to get rid of outdated equipment like printers, computers, modems, and other electronics, hire a firm that specializes in data destruction.
ERI is a leader in IT and electronics asset disposition. Start with our guaranteed data destruction service. You pick if you want on-site or off-site destruction methods. Using Optech™, you know exactly where your electronics are during every step of the electronics recycling process.
Would you like to know more about our data destruction methods? Contact an ERI expert at 1-800-ERI-DIRECT.