The General Data Protection Regulation (GDPR) was announced in the spring of 2016, imposing strict requirements on businesses regarding their consumer data practices. GDPR went into effect on May 25th, 2018 and since then has held businesses accountable for the way they track online users, handle user consent, and share data with third-party entities. Under GDPR, they are also accountable for the way consumer data is used when it passes into the hands of a third-party and obligated to ensure that it is always protected.
The California Consumer Privacy Act (CCPA) protects residents of California and gives them more control of the personal information that business collect from them. CCPA gives California consumers the right to:
Like GDPR, the CCPA holds businesses accountable for the way consumer data is used even when it passes into the hands of a third-party entity. As long as they are serving California residents, they are also responsible for the way their websites and mobile apps operate and store that information, even when the code is not owned or operated (O&O) by the business. Read more about the impact to consumers.
“Data privacy regulation” encompasses laws both enacted and proposed which enforce policies regarding the way that businesses store and use consumer data, and the way they share it with or sell it to third-party entities. So-far, data-privacy regulations like the GDPR and CCPA are considered to apply outside the countries in which they are passed, and have a global scope that impacts any organization that collects consumer data from residents/citizens of those countries. In the U.S, there is currently no data privacy legislation at a national level. However, businesses operating in the U.S must adhere to the GDPR if they do business with consumers living in the E.U.
In practice, almost any business that depends on a website or mobile app for any portion of its revenue – including publishers, retailers, eCommerce and entertainment sites – must follow both the GDPR and CCPA, which are similar enough that a single set of policies is usually sufficient for both. Under both laws, organizations are responsible for the way consumer data is used even when it passes into the hands of a third-party entity. As long as they are serving California residents, they are also responsible for the way their websites and mobile apps operate and store that information, even when the code is not owned or operated (O&O) by the business.
More FAQs from Digital3PC
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.