Do we need more particularized data privacy rights for U.S. citizens?

In a first this year late June, California passed A.B. 375, the California Consumer Privacy Act of 2018, a sweeping piece of legislation that, on its face, grants California residents data privacy rights that have never before been granted in the United States.

california-data-privacy-lawsIn late June, California passed A.B. 375, the California Consumer Privacy Act of 2018, a sweeping piece of legislation that, on its face, grants California residents data privacy rights that have never before been granted in the United States.

The law was driven by recent privacy scandals and the political pressure of a potential privacy rights ballot initiative that advocates agreed to drop in lieu of the passage of A.B. 375. Even more than the practical implications of the law, its passage spurred additional public debate that could lead to federal data privacy legislation and more particularized data privacy rights for U.S. citizens.

Generally, A.B. 375 allows consumers (defined as natural persons who are California residents) to demand access to all of the personal information that a company has collected relating to them, along with a full list of third parties with which the company has shared that data. In addition, the law allows consumers to sue companies – including through class actions – if they violate its privacy guidelines.

The law applies to for-profit companies that collect consumers’ personal information, conduct business in California, and fall into one of three categories:

  1. Realize gross revenues in excess of $25 million.
  2. Receive or disclose the personal information of 50,000 or more consumers, households or devices annually, or
  3. Receive 50 percent or more of annual revenues from selling consumers’ personal information. Additional provisions bring corporate affiliates of these companies if they share branding.

A.B. 375 grants consumers four categories of privacy rights.

First, the right to know what personal information a business has collected about them, including the source of that information, what is being done with it, and with whom it is being shared.

Second, the right to “opt out” of a company being permitted to sell their personal information to third parties.

Third, the right to request the deletion of their personal information. And fourth, the right to not be discriminated against if they exercise their data privacy rights.

Interestingly, however, A.B. 375 opens the door to allowing companies to pay consumers for the right to share their data by permitting, under certain circumstances, the granting of a different price to a consumer related to the value of that consumer’s data.

For the purposes of this law, “personal information” is defined broadly, including any information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household. But A.B. 375 does exclude information that is properly made available by federal, state, or local records provided that such information is used for a purpose compatible with the purpose for which it is maintained. A.B. 375 also carves out de-identified personal data (i.e., anonymized data) and aggregate data (both of which are narrowly defined).

The law does not come into effect until January 1, 2020, and numerous companies and lobbyists will be proposing amendments that could narrow its scope and impact. Companies that deal in consumer data – including retailers, internet service providers, and other web-based companies – will be working to scale back to privacy rights set forth in A.B. 375 based on the costly nature of compliance.

The state attorney general will also work with public stakeholders to develop a particularized compliance framework for impacted companies to work toward in the coming 16 months. But even a curtailed version of A.B. 375 is likely to require significant privacy policy changes for companies falling within its reach.

Perhaps most importantly, the passage of A.B. 375 coincides with increasing public and political acknowledgement of the need to better protect personal data. The week before it was signed into law, the Supreme Court issued its decision in Carpenter v. United States, 585 U.S. ___ (2018), holding (in a Fourth Amendment context) that an individual has a reasonable expectation of privacy in his geolocation data, despite that data being collected and held by cell phone companies.

Since June, many federal lawmakers ramped up efforts to draft and pass data privacy bills that address the manners in which companies collect, maintain, and use personal information. Seehttps://www.axios.com/congress-eyeing-national-privacy-rules-in-wake-of-california-law-d79c94b3-52e2-4ac2-846a-089d454d1905.html.

For now, companies impacted by A.B. 375 should be crafting draft privacy policies and procedures that would allow them to comply with the current iteration of the law. At the same time, they should follow proposed amendments to the law, raise issues with the California legislature if they unearth cost or logistical difficulties in their early compliance efforts, and keep an eye on Congress’ efforts on the same topic.

 

Courtesy: John C. Eustice

John C. Eustice is a member at the law firm Miller & Chevalier, chartered in Washington, D.C.
Advertisements

Are you making the most of your mainframe data?

Mainframe data is big data!

Data Quality Matters

When most people think of legacy software, we think of software that is outdated and due for replacement.

Yet, an alternative definition of legacy, particularly when it comes to mainframe application, is, simply, software that works.

This is a definition that our partner, Syncsort, is proud of. The legacy DMX Sort product has been helping customers to reduce the cost of running their mainframe for decades.

This legacy – the understanding of how to optimally move vast amounts of data – is brought to Syncsort’s line of data integration tools – particularly for moving both logs and data from the IBM mainframe and the IBM i series to advanced analytics platforms like Hadoop and Splunk.

These data integration and change data capture solutions are complemented by the data quality stack, meaning that we don’t just move data efficiently, we ensure its quality as well.

Mainframe data is big data

View original post 155 more words

5 Product Data Levels to Consider

Different kinds of product data may be divided into the schemas. Product pricing is usually a subject mainly belonging to the ERP side of things. But how to connect the dots and take things to next level, this write-up throws light on Product Master data Management.

Liliendahl.com

When talking about Product Master Data Management (Product MDM) Product Information Management (PIM) I like to divide the different kinds of product data into the schema below:

Five levelsLevel 1, Basic Data

At the first level, we find the basic product data that typically is the minimum required for creating a product in any system of record.

Here we find the primary product identification number or code that is the internal key to all other product data structures and transactions related to the product within an organization.

Then there usually is a short product description. This description helps internal employees identifying a product and distinguishing that product from other products. Most often the product is named in the official language of the company.

If an upstream trading partner produces the product, we may find the identification of that supplier here too. If the product is part of internal production, we may…

View original post 872 more words

Data-centric approach to enterprise architecture

Data is the key to taking a measured approach to change, rather than a simple, imprudent reaction to an internal or external stimulus. But it’s not that simple to uncover the right insights in real time, and how your technology is built can have a very real impact on data discovery. Data architecture and enterprise architecture are linked in responding to change, while limiting unintended consequences. DBTA recently held a webcast featuring Donald Soulsby, vice president of Architecture Strategies at Sandhill Consultants, and Jeffrey Giles, principal architect at Sandhill Consultants, who discussed a data-centric approach to enterprise architecture. Sandhill Consultants is a group of people, products and processes that help clients build comprehensive data architectures resulting from a persistent data management process founded on a robust Data governance practice, producing trusted, reliable, data, according to Soulsby and Giles. A good architecture for data solutions includes: RISK MANAGEMENT Strategic Regulatory Media Consumer COMPLIANCE Statutory Supervising Body Watchdog Commercial Value Chain Professional Enterprise architecture frameworks start with risk management as its building blocks, Soulsby and Giles said. A typical model asks what, how, where, when, and who. A unified architectural approach asks what, how, where, when, who and why. This type of solution is offered by Erwin and is called Enterprise Architecture Prime 6. According to Soulsby and Giles, the platform can achieve compliance, either regulatory or value chain; can limit unintended consequences; and has risk management for classification, valuation, detection and mitigation. erwin and Sandhill Consultants offerings will provide a holistic view to governing architectures from an enterprise perspective. This set of solutions provides a strong Data Foundation across the Enterprise to understand the Impact of Change and to reduce Risk and achieve Compliance, Solusby and Giles said. An archived on-demand replay of this webinar is available here.

via The Building Blocks of Great Enterprise Architecture for Uncovering Data — Architectural CAD Drawings

Data Architecture in a digital world; empowering the Data Driven Enterprise

To be able to be a really Data Driven, an organisation performs a Data Management discussion throughout the whole organisation.

Source: Data Architecture in a digital world; empowering the Data Driven Enterprise

Automating Enterprise Architecture

Modern EA processes must involve more stakeholders in the EA process so that EAs themselves aren’t the ones actually doing each and every task. The combination of smart tooling and collaborative process is really the key to success in automating your enterprise architecture practice.

Center Mast Consulting

Delivering faster. Saving money. Building new business capabilities. These are value points that make enterprise architecture more relevant than ever. Yet delivering EA at today’s breakneck pace of business requires automation. Here are two ways to do just that.

EA’s Slow Pace

For many organizations, enterprise architecture is still viewed as a governance process or center of excellence which major projects must be “run through.” This puts enterprise architecture on a project’s critical path, and as a result, enterprise architects must scramble to complete solution architecture, standards reviews, and documentation on time. It is these processes that must be automated in order to deliver EA faster.

Antiquated EA Processes

Let’s start the conversation with process, as that’s where things are inefficient to begin with. If we take a statistical examination of common EA work, it doesn’t take long to see that there’s an awful lot of tasks that are repetitive…

View original post 1,014 more words

Who is a Data Subject in GDPR

Who is a data subject in GDPR? – An identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. #AbhiSrivastava#GDPRArticle4#GDPR#DataSubject

Untitled design