You may not have realized, but the legislation that dictates how organizations store, manage and transfer the personally identifiable information of their customers is drastically changing leading to some serious changes in the world of mobile application development. Led by new legislations frameworks such as CCPA and GDRP (and more coming online every day) it seems the days where organizations can neglect the liability in how to use customer data are coming to a close. It seems that new legislation is cracking down on poor behavior around the management of sensitive data and is being enforced with heavy lawsuits, aimed to get organizations to shape up.
Overview of the CCPA
The California Consumer Privacy Act (CCPA) is a California state statute that provided increased privacy protections for citizens of California.
A summary of the responsibilities for organizations to comply with CCPA are as follows:
- The right to know how your personal information is being collected by a business and how it is used and shared;
- The right to request the deletion of personal information collected from them
- The right to opt-out of the sale of their personal information
- The right to non-discrimination for exercising their rights regarding CCPA
It’s important to note, that the “request to deletion” clause of CCPA legislation is a new aspect of privacy protection legislation that is radically reshaping how organizations consider how they store, manage and transmit personal data. Consider a scenario where an organization stores client data within their internal management systems with the intention to use that data down the road for future purchases of client identification. With the addition of the right to be deleted clause of the CCPA, now at any time a client can request to have their sensitive data deleted.
At face value, that may not seem like a challenge, however, when we take a closer look at how organizations to store, manage and transmit client data, this can become a major challenge. Often when organizations manage client data, it leads to multiple backups, data offloading, and data warehousing. In short, it can be a major challenge for organizations to effectively delete the client data in question.
So, what does this mean for the organization if they have trouble fielding these deletion requests? Well, this can, unfortunately, lead to major compliance failures, and ultimately a slew of hefty fines if organizations are found to fall outside compliance.
Overview of GDPR
And the CCPA isn’t the only data privacy compliance legislation of its kind. The General Data Protection Regulation (GDPR) offers a similar legislative framework but provides protection for citizens of the European Union.
A summary of the responsibilities for organizations to comply with GDPR are as follows:
- Conduct an information audit for EU personal data
- Inform your customers why you’re processing their data
- Assess your data processing activities and improve the protection
- Make sure you have a data processing agreement with your vendors
- Appoint a data protection officer (if necessary)
- Designate a representative in the European Union
- Know what to do if there is a data breach
- Comply with cross-border transfer laws (if applicable)
Again, just like the CCPA, the GDRP legislation states that citizens of the European Union under GDPR have the right to request the deletion of their sensitive personal from organizations that store their personal data.
Fines under the CCPA framework states that the maximum civil penalty is $2500 for every unintentional violation and $7,500 for every intentional violation of the law.
This might seem like a small fee for large organizations but when you consider that this fine is per violation those numbers can add up quickly.
Take for example an organization that unintentionally exposes 1,000records and sustains a CCPA fine. Here, the fine would total 2500 multiplied by 1000 totaling 2.5M dollars. This is where an infraction can radically change the future of one’s business.
For GDPR the fines structures differ a bit. With GDPR organizations who are found to not comply with GDPR can sustain a fine of up to fines of up to €20 million ($24.1 million) or 4% of annual global turnover (whichever is higher).
Here, organizations only have to be concerned with a one-time fine, however, that fine can be extremely challenging for organizations to pay while remaining viable.
The Future of App Development
With all of this said, it’s critically important to consider compliance when developing a new application. Take, for example, the case of Delta.
When we look at CCPA, if that app released by Delta was downloaded by 10,000 consumers, under CalOPPA ($2,500 per violation), the penalty could be upwards of $25 million. This is a big price tag for an application infraction.
The bottom line is to enter the development process with compliance as a priority. And better yet, partnering with a matured development agency that has built it’s organizational process around addressing compliance is a great place to start.