On July 8, Colorado became the third US state (after California and Virginia) to pass a consumer data privacy law. As of this writing, 27 other states have some kind of legislation moving through state legislative chambers, and federal lawmakers are considering at least one data privacy bill (see Figure 1).
What’s more, the Consumer Financial Protection Bureau (CFPB) gave notice of advance rulemaking last October for regulations that would require financial institutions to grant ready access to customers’ financial data.
Figure 1: Current US data privacy laws and bills, via the International Association of Privacy Professionals)
So what does this mean for your business? If you serve customers or clients in the United States, it’s time to get serious about figuring out how you will comply with data privacy regulations and laws.
In this post, I’ll explain what data privacy laws and regulations typically require businesses to do and how businesses can stay in compliance by adopting data governance best practices.
Data Privacy Laws and Regulations: What They Require of Businesses
While the specifics of the various data privacy laws on the books (and under consideration) vary, most of them require businesses to do some version of the following:
- Explain to customers how their data will be used.
- Delete customer data upon request.
- Keep customer data secure.
- Make it easy for customers to opt out of communications.
State laws also define which businesses must comply with these laws. Typical criteria used to determine whether a business is required to stay in compliance include…
- Where customers live (e.g., if you have customers in Colorado, you may be required to comply with the Colorado Privacy Act (CPA)).
- Whether you receive money or value from customers’ data, or how much of your revenue you earn from selling data (e.g., the California Consumer Privacy Act, or CCPA, applies to businesses that earn at least 50 percent of their revenue from selling California consumers’ data).
- How many customer records you have (e.g., the CPA applies to businesses that have 25,000 or more customer records).
- How much revenue you earn (e.g., the CCPA applies to businesses with $25 million or more in gross annual revenue).
For many businesses, the prospect of complying with such laws is daunting not because following these guidelines would upend their business practices but simply because they don’t have a clear way of knowing these things about their customers and revenue.
In other words, for companies that don’t have a handle on their own data, complying with laws designed to protect their customers’ is nearly impossible. The good news is that data governance can help.
Read more in our whitepaper A Common Good: How Data Governance Benefits Companies and Protects Consumers
How Data Governance Facilitates Data Privacy Law Compliance
If you’re not familiar with the basics of data governance, the high-level summary is this: data governance involves standardizing all the data an organization has and unifying it in a single source of truth.
With data governance best practices in place, an organization can enjoy financial, operational, and customer-related benefits. Data governance also makes it much easier to comply with data privacy laws.
To understand that last point, let’s do a quick thought exercise.
Imagine a business that uses several kinds of software – a CRM, a sales enablement platform, a billing and accounts system, and a database to track its inventory. Each of these systems exists in a silo: the marketing team’s data doesn’t connect to the sales team’s, which is also separate from the accounting team’s.
If a customer of this business asked for their information to be deleted, per their rights as outlined by their state’s data privacy law, responsible parties would have to search all these databases separately to find that information and delete it. Not only that:
- The business would have to review permanent deletion practices for each system and make sure they complied.
- They’d have to search possible aliases the customer used (e.g., nicknames, names with or without their middle initial, etc.).
- They wouldn’t know for sure whether they’d found all instances of that customer data, meaning they wouldn’t know for sure whether they’d complied with the law.
The result is that compliance becomes incredibly time- and resource-intensive. Organizations that struggle to keep up could face serious fines and penalties.
Now imagine an organization that has all its data stored in a single place, in a standard format. When that customer asks for their data to be deleted, all the business has to do is pull up their file and delete it once. Done. Compliance is simple.
For businesses that serve customers in California, Virginia, or Colorado, the impetus for adopting data governance best practices is clear. But what about businesses that don’t have customers in those states? I mentioned earlier that now is the time to prepare for compliance if you serve anyone in the United States. Let’s take a look at why.
The Future of Data Privacy Laws in the US
Gartner predicts that, by 2023, about two-thirds of the world’s population will be protected by data privacy laws. Already, Europeans are protected by the GDPR and Americans are increasingly protected by state laws.
The takeaway for businesses is that the movement globally is toward increased data privacy regulations. If you are not currently subject to any such regulations, there’s a good chance you will be in the near future.
That means that now is the perfect time to implement data governance best practices. By starting the process of standardizing and organizing your data now, you have a much better chance of being prepared to easily comply with the data regulations that will almost certainly affect you in the near future.
How to Implement Data Governance Best Practices
If you aren’t sure how or where to start the process of introducing data governance best practices, you’re in the right place. My Saggezza colleagues and I have experience implementing data governance best practices to businesses of all sizes in a variety of industries.To better understand how we can help you implement data governance so that you’re prepared to comply with data privacy laws, get in touch. I’d love to hear about your situation.
Meet the Author:
Suyash Karanwal has around 9 years of experience in the database field with comprehensive hands-on expertise in development, production database administration and database application development. Suyash graduated from IIT Chicago in 2017 in Masters in Data Management specialization.
Saggezza is a proven technology and consulting partner that delivers personalized, high-value solutions to accelerate business growth.