Elections in California and across the country could rewrite data privacy laws and revive national data privacy legislation now circulating on Capitol Hill.
- Californians are poised to vote on Proposition 24, which would strengthen the state’s consumer privacy law.
- U.S. election outcomes could make or break data privacy bills already introduced in Congress.
- Companies are bracing for new compliance challenges in managing email, one of their biggest stores of personal information.
As a practical matter, though, many American companies must already comply with a patchwork of old and new data privacy regulations and standards — whether at the state, national, international or industry level. Included are various requirements for:
- Designing data privacy protection into any new product or service;
- Implementing policies and procedures for sharing customers’ and employees’ information;
- Securing personal information as it’s created, stored, maintained, and transmitted;
- Reporting data breaches;
- And training personnel to handle personal data properly.
Much of the compliance work revolves around everyday business email, which is central to data privacy in two big ways. First, it’s one of the largest repositories of personal information that any organization holds. Second, business email is the most common trigger of data breaches that expose personal information.
As privacy rules continue to take shape, technology market experts like the Gartner Group advise companies to be proactive — to build holistic, adaptive privacy programs instead of reacting each time a new jurisdiction institutes a new policy. Technology is an essential component of these compliance programs, securing data and automating compliance.
The Data Privacy Landscape Is Shifting Again
The introduction of the CCPA set off a wave of data privacy initiatives across the country, with bills being considered in at least 30 states and Puerto Rico before the pandemic shifted priorities. While the CCPA is already considered quite strict, questions about its enforcement mechanisms and other aspects prompted some privacy advocates to draft Proposition 24, now on the ballot in California.
If passed, Proposition 24 would expand on the CCPA in several areas. Those that could impact business email include stronger policies on minimizing the retention of personal information and the establishment of the California Privacy Protection Agency, adding another regulator to the compliance mix. Other major areas of focus include the use of personal information to target advertising.
Added to the mix are privacy policies across different sectors. The Health Insurance Portability and Accountability Act (HIPAA) has long governed healthcare companies. Financial services companies must answer to government and non-government agencies such as the PCI Security Standards Council and New York State Department of Financial Services.
The 2020 election’s outcome could determine which, if any, will move forward: Democratic presidential candidate Joe Biden has suggested that the U.S. should have a national privacy law that sets standards similar to Europe’s General Data Privacy Regulation (GDPR), while President Trump has yet to weigh in.
Globally, ‘Modern’ Data Privacy Regulation Accelerates
All in all, 65% of the world’s population will have personal data covered by “modern” privacy regulations by 2023, according to Gartner, compared to 10% in 2020. While 130 or more countries have some privacy laws on the books, many have been modernizing their laws since GDPR was issued.
Compliance Programs and Technology
Complying with changing data privacy regulations is both an organizational and technical challenge.
Companies spend millions establishing compliance strategies, policies, procedures, and training to protect their customers’ and employees’ personal information. Leading practice includes instituting high-level principles regarding personal data as part of a documented and measurable strategy. In handling email, for example, archiving policies need to address why personal information is retained and for how long, as well has how the company protects against email-borne threats that could breach its stores of personal information.
For email, translating compliance strategy into practice involves technical tools for implementing these and other policies on data management, security, archiving, search and retrieval, encryption and regulatory reporting. Cloud-based email services such as Mimecast are incorporating and automating more of the data security and regulatory administration capabilities needed to comply. For example:
- Certain types of personal information in emails can trigger encrypted messaging.
- Compliance teams can set, maintain and enforce retention policies that “expire” messages within a set number of days.
- Data dashboards can measure employees’ likelihood of clicking on scam emails, risking a data breach that exposes personal information.
The Bottom Line
 “How the 2020 Elections Will Shape the Federal Privacy Debate,” Brookings Institution
 “Global Data Privacy Laws 2019: 132 National Laws & Many Bills,” Social Science Research Network
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly