Do a quick search on the internet about data protection and privacy acts, and you can very easily and quickly go down a rabbit hole of endless conspiracy theories. Many people have their microphones and cameras disabled on their phones in an effort to avoid unwanted ears and eyes being a part of their lives. Between the privacy acts enacted in Europe, the California Consumer Privacy Act, and the new data privacy law in Brazil, there is a lot of conflated information. Despite all of the conspiracy theories floating around, a lot of people are lacking a general understanding of what these privacy acts really do and don’t cover. Many people don’t realize that cyber security is one of today’s most pressing global issues, and such measures are implemented to avoid more devastating data breaches like the Equifax and Yahoo breaches. However, the good news is that they are actually not as complicated as they might seem at first glance. Let’s break it all down a bit.
Effective May 25, 2018, the European Union (EU) instated the GDPR in an effort to protect EU customer data, reduce the occurrence of security breaches, and decrease the incidences of personal data being mishandled. But…what actually is personal data, anyway? Well, it can include quite a variety of data types such as names, email addresses, home addresses, IP addresses, location information, ethnicity, gender, biometric data, religious beliefs, political opinions, and unsubscribe confirmation URLs that contain either email addresses or names. According to GDPR, as long as you’re completely unable to identify any single person, you are compliant.
Although the GDPR was recently established, the EU is no stranger to implementing similar privacy measures. In fact, in 1950, Europe declared the right to privacy as part of the European Convention on Human Rights. With the progression of technology, the EU saw the need for updated protections, so it passed the European Data Protection Directive in 1995. This basically established a foundation to set the precedent for minimal data protection and security measures.
However, as we all know, the internet took the world by storm and grew rapidly. The first banner ad appeared online in 1994 and in 2000, several financial institutions began offering online banking. Facebook opened to the public in 2006, and the EU declared a need for updated data protection measures in 2011. As of May 2018, all organizations within the EU were forced to comply with the GDPR, which is currently the strictest data privacy law in the world. Businesses operating outside of the EU but processing data from EU citizens are still required to obey the terms laid out by the GDPR. Otherwise, they will face fines reaching up to €20 million ($25 million). Big yikes!
As laid out in the guidelines of the GDPR, companies can fall into one of two categories: controllers or processors. Controllers are those who collect user data and then decide how it will be processed and what to do with it. Processors, on the other hand, are third parties that help other companies process their data by providing them with various options of what to do with the collected data.
Heavily influenced by the GDPR and an increased conscious effort to prioritize individual privacy, the California Consumer Privacy Act was written and signed in 2018 and went into effect January 1, 2020. Like the GDPR, the CCPA seeks to protect California consumer rights and to encourage more rigorous privacy measures and transparency. Likewise, it gives consumers ownership and control over their information and what happens with it. They have the option to request their data not be sold to third parties, as well as to have businesses delete the personal information collected. Additionally, this privacy act gives Californians the right to know exactly which personal information is being collected, access to said information, the ability to request its deletion, and the opportunity to opt-out of the sale of their personal information. Currently, only larger businesses are required to comply.
The General Data Protection Law in Brazil was approved in 2018 and entered into force in 2020. Similar to the California Consumer Privacy Act, the LGPD was greatly influenced by the EU General Protection Regulation, but there are key distinctions to be made between the GDPR and the data protection law in Brazil. Unlike the other two privacy acts mentioned, the LGPD does not only apply to business and organizations above a certain size. In fact, it extends to businesses of all sizes, and the only exceptions are for data collected entirely for research, journalistic purposes, or public safety. Personal data—that is, data which can identify an individual—and sensitive personal information, which includes data regarding particular racial or ethnic origins, religions, political affiliations, health or sex life, and genetic data, are both protected under the LGPD. The rights of people in Brazil are required to be laid out very clearly and in an accessible manner so they can be aware of them.
According to the International Association of Privacy Professionals, the LGPD goes even further than what the EU has previously done in terms of “the right to be informed” by offering information about which entities the data is shared with and what happens if they do not give their consent. The ultimate goal here is to maintain transparency; however, many worry this is a wasted effort because most Brazilians are completely unaware that their data is being used or giving a second thought as to what is happening after they have provided information. Although complex, the data protection law has the right idea in mind. It will just continue to take time and effort to educate Brazilian citizens both on the complexities of data and data protection, as well as their rights in it all.
Although it might all sound like a bunch of fancy jargon or even seem like a nuisance to deal with, data protection laws such as those mentioned are definitely a step in the right direction, especially as life continues to shift even more in a digital sphere and cyber security measures must be tightened. Being upfront with your users or customers about the data that is being collected and for what reason will inevitably aid in establishing deeper levels of trust with your customers. Additionally, giving them the ability to opt out of the data collection allows them to feel that they have autonomy over their information, which will again increase their level of trust in your company. With the continued prioritization of a person’s rights and freedoms online, more data protection measures will be implemented both throughout the US and in countries all over the world. We recommend continuing to educate yourself so that your business can be in the best possible position when that happens.