What is the Consumer Data Protection Act of 2018?
In previous CSPi blogs, we have described many specific data privacy regulations as well as the fact that they are quickly increasing in number. This is happening across the board in the domestic United States, internationally, as well as regulated industries. We’ve also noted that the penalties for noncompliance are getting much more serious – and painful. For example, perhaps the most punitive to date is the EU’s GDPR, which requires 72-hour breach notification, detailed reporting on breach impact and remediation, and fines up to 4% of revenue.
It’s a struggle for organizations to keep track of all of these data privacy laws by state, country, or industry, but also, and more importantly, to ensure compliance with their varying requirements. And it will only get more challenging with the continuation of new federal privacy laws. For example, one of the newest regulations posed by U.S. Senator Ron Wyden of Oregon, “Consumer Data Protection Act of 2018,” could take compliance to a whole new level, and in some respects, on par with GDPR.
Senator Wyden can be considered a watchdog in the areas of data security and proper usage. In the past, he was instrumental in shutting down the government’s surveillance and intelligence gathering under the U.S. Patriot Act. He also pushed Congress to pass additional cybersecurity measures. Now he is turning his attention to address organizations’ potentially lax data protection and poor oversight of data-sharing practices.
The need for transparency
Many companies have made it a practice to collect consumer data and use it to gain a new competitive edge. Unfortunately, it was not always obvious to consumers that their data was being collected, nevermind how this information was being used or shared.
One of the major aspects of the Consumer Data Protection Act of 2018 is to shine a light on this issue and create complete transparency to see how consumer data is collected, used, and shared.
Another interesting item in the proposed regulation is the Consumer Data Protection Act would give the FTC more authority and resources to let it take a more hardline approach to protecting consumers’ data rights. For example, the proposed bill would allow the FTC to levy hefty fines, even for a first infraction, as well as incarceration for responsible parties within the organization.
Currently, no federal agency is charged with establishing a minimum standard for the processing of consumer data. Under the proposed Consumer Data Protection Act of 2018, the U.S. data protection authority would fall to the FTC.
Other Specifics of the Proposed Consumer Data Protection Act Bill Include:
- Establish minimum privacy and cybersecurity standards.
- Issue steep fines (up to 4% of annual revenue) on the first offense for companies, and 10- to 20-year criminal penalties for senior executives.
- Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It would permit companies to charge consumers who want to use their products and services but don’t want their information monetized.
- Give consumers stronger data privacy rights, including a way to review what personal information a company has about them, learn with whom it has been shared or sold, and challenge inaccuracies in it.
- Hire 175 more federal staff to police the largely unregulated market for private data.
- Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.
At CSPi, we’ve been watching these new personal information privacy laws stack up, and we understand the complexities of meeting the various requirements. Our compliance assurance solutions are built to meet, even exceed, data privacy requirements by providing automated breach notification as well as highly detailed reporting while a breach is happening.
These capabilities allow organizations to take immediate steps to disrupt the breach, minimize the damage, and provide all of the information and details needed for compliance. And to take it one step further, CSPi’s unique approach to securing DevOps environments puts organizations at an advantage since critical assets are protected nowhere they reside, are used, or are accessed. All of this makes them unusable in the event of the inevitable data breach.
If you would like more information on data privacy regulations, and how you can improve your compliance efforts, including for the Consumer Data Protection Act, download our new how-to guide, “Successfully Complying with Data Privacy Regulations.”
CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organizations' critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. To learn how we can help your organization protect critical data while staying in compliance with data protection laws, contact us today.