U.S. companies with no presence in Europe only needed to pay passing attention to the protecion of personal information and the General Data Protection Regulation (GDPR) when it was adopted it in 2016 and went into effect in May, 2018.
But the California Consumer Privacy Act (CCPA), signed into law just one month later, has changed privacy and data calculations for most businesses, not just in the Golden State but across the country. Numerous companies have recognized that they needed to take a long, hard look at how they address consumers’ privacy and data.
During this podcast, Steve Stein, co-lead of KPMG’s Information Governance and Privacy practice, and Nick Schmidt, one of its members, sit down to discuss:
- How the private right of action for data breach in the Act changes the legal rules for data breach litigation and could cost breached businesses millions, even billions, of dollars
- The amendments made since the Act was announced in 2018, including the recently-passed employee personal information exemption (AB 25), the publicly available information exemption (AB 874), an exemption for recall and warranty data (AB 1146), and relief for certain B2B communications or transactions
- The final disposition of, and takeaways from, the proposed loyalty card “exception” amendment (AB 846)
- The many aspects of data privacy that non-GDPR-compliant companies need to start immediately addressing, including:
- Inventorying the data held by their business processes, and IT assets, and shared with external partners;
- Updating their corporate policies and notices;
- Authenticating customers more effectively;
- Instituting better security controls, with an eye toward legal defensibility; and
- Training employees to comply with the privacy requirements relevant to their jobs.