Probably the only thing most people know about the General Data Protection Regulation (GDPR) is all the big annoying cookie boxes that pop up all the time. But there is much more to GDPR than cookie consent.
“More” being a euphemism for the burden it places on companies, including in payments and gambling, to treat consumer data in a “lawful, fair and transparent manner”. It’s this need for transparency which results in that mammoth pop-up consent window we have all learned to hate.
GDPR made us Europeans trailblazers. Proud when far-flung jurisdictions adopted “our” rules out of legal necessity when processing EU consumer data. Now those jurisdictions are gold-plating our rules and making them their own.
And in some places, the day-to-day browsing experience may get even more cumbersome. Imagine three, four or five intrusive buttons to click before you can even access a homepage.
Next month, Californians will vote on upgrading their privacy laws, which only came into force in July this year. Prop 24 — as the upgrade is called — will impose further requirements on companies to ask for permission before collecting information and to disclose how it will be processed, among many other restrictions.
And as you read this, US state and federal legislators are at work on as many data privacy bills as there are states. California’s is the best known, but there are many others, all at different stages, featuring many different shades of grey GDPR.
Here are some examples of what the gold-plating US style looks like:
“Easy” do-not-sell-my-data buttons or the ability to browse with no pop-ups (except for cookie consent, naturally) or the sale of consumer data.
A proposal from California meaning companies would have to disclose how much they make from processing data.
Arizona, Maryland and three other states would like consumers to have the ability to initiate civil actions for up to $750 for security breaches. Although, in a recent debate, the US Congress was divided over the right to private legal action.
Again in Arizona, if everything goes well (for consumers), companies will have to disclose categories of personal information they collect, categories of third parties whom data is sold to and the purpose of collection.
The list goes on and on…
GDPR compliance in the US has already proved expensive, mostly for banks, with an estimated cost of €79m per bank. Other financial services, including payment companies, spent an average €9.5m to comply.*
Forbes estimated the total cost to be eight times greater in the US than in the UK.**
GDPR also created a massive consulting industry and that sector will now be well placed to help companies comply when all the draft US legislation becomes reality.
If you work in payments and that’s not paying you enough, now’s the time to switch careers to data privacy consulting, because whatever the final shape of those proposals, there will be new regulations to comply with or else penalties to pay. The only questions are who is affected and how to comply?
Consider that if the Forbes estimate is reversed, European businesses will be spending billions to comply with the US data privacy rules in the coming years.
The US is not the only country making data protection moves. Canada is headed in that direction too.
The Canadian privacy commissioner advocates for a state “safeguard”, which would see public interest exemption, when consumers would not be able to exercise their rights.
India proposes jail terms for executives of companies that breach the privacy rules.
And the list goes on and on…
Starting this month, the VIXIO team will be speaking with lawmakers and data privacy experts on both sides of the Atlantic to explain what it means for you and how you can prepare.
In a report due in November, VIXIO will map out the US legislative initiatives — what is happening, where and when.
Click here to register to receive a free copy of the report (we will treat your data in a lawful, fair and transparent manner).
** Forbes Figures based on FTSE 350 and Fortune 500 companies