The CCPA and GDPR: How these emerging privacy laws will impact the credit union industry: Part one
We are in the era of digital transformation. A time where data is being collected at exponentially growing rates all around us. A wide variety of businesses and institutions, including credit unions, have been collecting personal data on their customers/members for quite some time now. How can you receive any benefit from all of this available data? The answer lies in the use of Big Data Analytics. Big Data is used to help analyze extremely large data sets to identify patterns, trends and associations in human behavior. This method of analyzing data is very versatile and proving to become one of the most sought-after tools of today.
This has made the overall collection of consumers data much easier and more widespread. This is also commonly referred to as Personally Identifiable Information (PII) and the influx of access to it has raised some concerns. Common questions include: What data is being collected? How has it been collected? What is it being used for? Which third parties have access to it? And, how much control do we have over our own data?
Understanding the Current Technology Regulation Market
Even though there are many regulations relating to the use of technology, many would argue that technology regulation is a lagging indicator of what is to come. Meaning that the regulation of technology hasn’t quite caught up to the quickly changing way of doing business. The PII of consumer data and behavior is becoming more commoditized whether we like it or not. To combat this, technology regulations will grow in strength and number throughout much of the 21st century.
The ultimate purpose of instilling more privacy regulations with regard to PII is to protect the consumer from two different things. They are meant to: 1) Help protect consumers from the increasing number of hackers, and 2) Prevent businesses from having too much control and power over their customers.
A Perfect Example – What Could Happen if Your Business is Unprepared
The nearly perfect reputation of the well-known tech giant Facebook (FB), the world’s largest social media network, was tarnished in mid-March of 2018. Cambridge Analytica, a large big data analytics company based in the UK, exploited FB’s proprietary database by harvesting the PII of nearly 87 million people’s Facebook profiles without the consumers consent. It’s believed that Analytica used the obtained data to help influence the 2016 U.S. presidential election.
As you might expect, this realization didn’t thrill many Facebook users, and to a larger extent, the U.S. public in general. This isn’t the first time personal data has been leaked, but this instance stirred more controversy, as it enabled foreign propaganda that potentially affected the results of the election. As a result, Facebook’s Chairman and CEO, Mark Zuckerberg, was put in the hot seat in front of the U.S. Congress in a senate hearing to answer questions. U.S. Congress asked questions closely resembling these: Just how secure is your proprietary database? What information do you have on all of your users? What is it used for? What third party/vendors have access to it and what do they use if for? All of the backlash towards Facebook caused their stock price to plummet in just a couple of days, losing nearly $100 billion in market capitalization (at the time, 15% of their total valuation).
Facebook was unprepared from the commoditization of personal data. This is a change and issue that businesses must address as consumer data is much easier to obtain in size and method. If businesses can’t adapt to the changing landscape, then consumers will simply find/select products from a different company that understands and respects their rights as a consumer.
Current Legislation – Aimed at Protecting Consumers
Recently, lawmakers have started taking more action regulating businesses with control over the PII of their customers. The two most notable laws pertaining to this are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The GDPR is already in effect, since late May of 2018, and the CCPA is still under review by California Legislators.
The GDPR replaced the 1995 EU Data Protection Directive, which generally did not regulate businesses based outside of the EU. However, this law is different. It is intended to place stricter laws on businesses, so they cannot have free reign over the use and distribution of EU citizen data. In addition, the GDPR is enhanced as it relates to potentially any business, not just within the boundaries of the EU. The need for GDPR compliance depends almost entirely on the company’s marketing efforts. If the company actively pursues/monitors EU citizens to better track and collect useful PII for their business, then the GDPR will likely apply to them.
Why is understanding the GDPR important? It’s important to know because these types of laws and regulations will continue to grow in prevalence. Thus, companies may need to change their strategies, especially regarding the creation and overall strengthening of data security (IT) teams. Understanding the European law is also important because there is some overlap between this and the newly composed CCPA which will directly impact the state of California. In short, both laws require individuals’ consent before businesses collect and start using that consumer-specific data. Subsequently, businesses are then required to disclose how they collected that data and what it will be used for. Failure to comply results in very predictable consequences, very heavy penalty fees.