The data privacy era posed new challenges to businesses around the world. For example, territory-specific data laws were introduced such as the EU’s General Data Protection Regulation (GDPR), which was enforced in May 2018. Since then, EU officials have issued at least one fine in each member state, with the highest penalty of €50 million given to French Google.
Not so long after, Californian law enforcement introduced California Consumer Privacy Act (CCPA) in 2019 with a goal to replicate the key GDPR requirements and increase the safety of personal data that Californians share with multiple companies. California is known for its marvelous Silicon Valley where all greatest platform titans such as Google and Facebook reside. These companies are the pioneers of mass personal data use. Therefore, it doesn’t come as a surprise that Californian jurisdiction decided to regulate how these companies, and others that fall under the CCPA requirements, process the data of millions of consumers.
Moreover, they thought that they weren’t strict enough, and enacted California Privacy Rights Act (CPRA). This act amends CCPA clauses in a significant way and adds new ones, bringing Californian privacy rules one step closer to the GDPR ones. Brazil has also recognized the value that GDRP brought to the global privacy table and created their LGDP.
These names are being tossed around frequently these days, increasing the popularity of consumer rights. In this way, they may lead to the wrong conclusion that data privacy is a recent topic. Besides country-based data privacy laws there are industry-specific ones too! This means that some industries carry a larger privacy burden than others, and thus need to be more controlled. Higher control is exactly what draws more data attention to certain industries from the get-go.
Their job is not done by complying with one relevant regulation. Instead, they are expected to comply with all business-related data laws to avoid any possible fines.
However, those industries have the highest responsibility in safeguarding customer data because they collect the largest amount of it. Having millions of data entries at their disposal makes them an attractive target to hackers who want to benefit from this precious commodity.
But what are those industry-specific data privacy compliance rules and on which industries do data privacy regulations have the strongest impact? Let’s find out!
1. Data-based businesses
You may have heard about Cambridge Analytica, the data scandal of the century. Since that massive data breach, the public has shifted its focus on the way social media companies handle customer data. We hall all been aware of the fact that Facebook collects our information, but we didn’t know how big the damage for data mishandling could be. One of the main tasks of the GDPR force was to tackle issues like this and prevent any future data breach in this area. CCPA and CPRA followed its lead and mandated rigorous rules for social media companies that collect data for marketing purposes.
First, they limited the use of both authorised and third-party data by introducing the following rules:
- Consent-based data sharing and data selling
- The right to opt-out from any data permission
- Customer’s request to delete their whole history
- Obligation to deliver customer data in an easily downloadable format
- Data breach notification period of 72 hours since the breach was detected
- Use of plain language is required, meaning there is no more space for complex marketing and legal jargon
However, social media companies are not the only ones seen as third-party data suppliers. Numerous data agencies collect and sell millions of consumer data sets every day. While the GDPR and LGDP don’t offer a specific rule related to this industry, CCPA is clear about the requirement that all for-profit organizations who operate with 50K+ consumer data entries and record more than $25 million annual revenue must follow its rules. CPRA expands the CCPA’s requirequiregive consent and opt-out from data selling as well. Numerous cloud-computing and remote service providers are in the data business too. Even though they may not collect the data, they transmit it, which is why they are required to comply with the data laws too. They are bound by the strict regulations, but not responsible for a data misuse of their customers. However, they must emphasize that in their compliance.
Now, you can go and comply with each policy or just buy the latest customer support software to do that for you!
2. Educational institutions
If you are in the education industry in the EU, you need to check out the GDPR requirements. However, if you are an educational institution in California, you will not only have to scan the CCPA, but also an industry-specific data law called the Family Educational Rights and Privacy Act (FERPA)! This law has been in the game for so long! The U.S. federal government enacted it in early 1974 with a goal to protect student files.
The education industry has been known to collect an incredible amount of student data, which can include:
- Educational information: This data category includes all information pertaining to student grades, classes, selected courses and graduation year.
- Personal identifiable information (PII): PII is any student’s information related to their data as an individual and citizen, such as their Social Security number.
- Directory information: This kind of data includes information on a student's name, home address, or phone numb. It also includes theirir ID number, which can be used to gain access to a student record.
If student data gets into the wrong hands, the damage for the first type of data won’t be huge. However, the data breach of the other two types can be massive! Thus, FERPA declares that student data can’t be disclosed without a studentor guardian (in case that student is underaged) consent. When planning to disclose directory information, an institution must send a two day notice to ask for consent. The notice must clearly explain the reasons for disclosure or it will be found illegitimate.
But do all educational institutions fall under the FERPA law? The answer is no. Only the ones that are federally funded, or part of part of programs administered by the U.S. Department of Education.
3. Online financial services
The financial industry is seeing the highest increase in reported data breaches so far! Over the last 5 years it recorded an increase of 67% according to the Annual Cost Of Cybercrime Study. You may assume that the reason is that hackers love the money, right? There was an increase in online financial opportunities as well! To protect the most valuable consumer data (their identification numbers and financial assets), GDPR, CCPA, and LGDP enacted a set of security protocols that the financial industry needs to follow. Those protocols are related to the use of modern tools, such as customer support software, that enable higher data safety but also give consumers more control over tfinancialacial data. Now every customer needs to be educated on the use of financial tools to enjoy easy access to their data and money. The U.S. federal legislation has been protecting consumers’ financial data for two decades now.
They imposed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, at the end of the last millennium, in an effort to improve finance in the next one! And they are clearly doing a good job as the GLBA is still the active data privacy law for the financial industry!
The asset and wealth management businesses are deeply affected too as the aforementioned laws greatly influence their data privacy and security policies! The handling of client information through third-party vendors is not the same anymore! Now there needs to be a strict classification between data controller and data processor as well as to employ additional technology that guarantees consumer rights!
4. Medical and healthcare
After financial privacy data, the healthcare industry’s data is the second biggest danger! Healthcare organisations process millions of patient records that consist of extremely sensitive information such as their social security and payment numbers. With the shift to the digital age and the emergence of electronic records, the demand for more secure data in the healthcare industry has only been higher. Everyone can now enjoy the benefits of online healthcare, but providers have been put to the test to protect patients’ electronic health records or EHRs.
The U.S. Department of Health and Human Services recognized the struggles that thehealthcaree institutions were facing and made a goal to improve the Health Insurance Portability and Accountability Act (HIPAA) of 1996 by adding a HIPAA privacy rule. HIPAA’s role is to limit access to the EHRs, guarantee patient rights, define its electronic use, and propose procedures and measures for safeguarding patient data. However, GDPR goes a step further with a bit stricter approach.Itt broadened data privacy by demanding the protection of digital data such as IP addresses, photos and payment details.
5. Utility sector
Utility sector is seriously affected by data privacy laws too! Utility companies have switched to the use of multiple automation tools that facilitate both production and distribution. They also made the collection of customer data easier by turning all data into a digital footprint. For utilities, data is not only necessary to perform common services such as payment or calculation of monthly electricity use, but also to control the performance of their massive grids, such as managing outages and system maintenance. The utilities sectors in Brazil, EU, and California are now known for their novel privacy laws. However, Californian utilities companies need to comply with the RCW 19.29A and other relevant Washington regulations related to the collection, disclosure, and safety of customer PII.