Data Privacy is a Ticking Bomb for US Congress
Darryl Carlton
AI Governance Thought Leader | Digital Transformation Expert | AI Pioneer since 1984 | Bestselling Author in Cybersecurity & AI Governance | Passionate about AI responsible use in Higher Education, Business & Government
The recent decision by the United States Congress to demand that TikTok divest its US business due to its headquarters in China and the requirement to disclose data to the Chinese government has brought the issue of data privacy to the forefront of national attention. This action highlights the need for robust data privacy legislation in the United States, and the California Privacy Rights Act (CPRA) offers valuable insights into potential alternative remedies available to US legislators.
In today's interconnected digital world, protecting personal data has become a top priority for individuals, businesses, and governments alike. Two ground-breaking pieces of legislation have emerged as beacons of hope in the fight for privacy rights and consumer protection: the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA), which later evolved into the California Privacy Rights Act (CPRA).
As a senior executive, understanding the key differences and similarities between these two laws is crucial for ensuring your organization's compliance and safeguarding your customers' trust.
The GDPR, implemented in 2018, set a new global standard for data protection. It applies to all organizations operating within the EU and the European Economic Area (EEA), as well as those outside the EU that offer goods or services to or monitor the behaviour of EU data subjects. The GDPR defines personal data broadly, covering any information related to an identified or identifiable natural person.
On the other side of the Atlantic, California took a bold step with the introduction of the CCPA in 2020, which was later expanded into the CPRA. These laws apply to for-profit businesses that collect California residents' personal information and meet certain thresholds, such as having annual gross revenues exceeding $25 million or deriving a significant portion of their revenue from selling personal information.
Both the GDPR and CCPA/CPRA grant individuals a set of rights over their personal data. Under the GDPR, data subjects have the right to be informed, access their data, request rectification or erasure, restrict processing, data portability, object to processing, and rights related to automated decision-making. Similarly, the CCPA/CPRA provides California residents with the right to know about the personal information collected about them, delete it, opt out of the sale of their personal information, and not face discrimination for exercising their rights.
Enforcing these laws is a serious matter, with substantial penalties for non-compliance. The GDPR's fines can reach up to €20 million or 4% of a company's total global turnover, whichever is higher. The CCPA/CPRA, enforced by the California Attorney General and the newly established California Privacy Protection Agency (CPPA), can impose fines of up to $7,500 per intentional violation and $2,500 per unintentional violation.
领英推荐
To comply with these laws, organisations must implement appropriate technical and organisational measures to ensure the security of personal data. This includes measures such as pseudonymisation, encryption, and reasonable security procedures and practices appropriate to the nature of the information.
While the GDPR and CCPA/CPRA aim to protect personal data, the GDPR is generally considered more comprehensive and stringent. It has a broader scope of applicability and offers more detailed provisions on data subject rights and organisational obligations. The CCPA/CPRA, though focused on California residents, is a significant step forward for data privacy legislation in the United States.
If US legislators were to adopt provisions similar to those found in the CPRA, they would have several alternative remedies at their disposal when addressing concerns about foreign companies collecting and potentially misusing US citizens' data. These remedies could include:
By adopting a comprehensive data privacy framework, US legislators could effectively address concerns about foreign companies' handling of US citizens' data without resorting to measures such as forced divestment. Such a framework would protect individuals' rights and foster a more trustworthy and secure digital environment for businesses. More importantly, it would create a framework that would apply to any foreign US business and avoid targeted actions.