As online consumers of content, services and goods, we make certain compromises on privacy. Who we are and what we do online is a valuable commodity. It’s presumably worth it to hand over some contact information if it gets us access to a retail loyalty program, a useful traffic tool, news stories we’re interested in or an amusing game to pass the time. Do I accept the terms of service? Sure. How bad can they be?
It wasn’t that long ago that few in gov tech knew about the GDPR. Originally passed in 2016, the General Data Protection Regulation is the set of sweeping data privacy laws for the European Union that aim to protect consumers from having their data collected, used or sold without their consent. Companies found to be out of compliance face heavy fines — heavy enough to get the attention of private-sector consumers of data (i.e., nearly anyone doing business on the Internet).
And while the impact of GDPR, which took effect in May 2018, is thought to be pretty minimal for state and local government agencies in the U.S., many wondered if American lawmakers should take similarly aggressive measures. Calls for action got louder with recent discoveries about just how much personal data was being collected and sold by “free” online services like Facebook. It didn’t take long.
As mentioned in our cover story, the California Legislature passed its own set of privacy protections in June. The bill was drafted by legislators and signed by the governor in the course of one week, a signal of its importance to policymakers in tech-heavy California, eager to look out for its 40 million residents.
In a July 31 webinar by law firm Morrison & Foerster, attorneys Purvi G. Patel and Nathan D. Taylor agreed that the importance of the California law couldn’t be overstated. “I truly believe this is the most significant U.S. privacy development to date,” said Taylor.
The California bill gives consumers five fundamental rights, as outlined by Patel and Taylor: the right to know how their information is being used; the right to have their information deleted; the right to prevent the sale of their personal information; protection from retaliation for making any requests under the act; and the right to sue.
The bill takes effect on Jan. 1, 2020. It’s deferred effective date presumably offers businesses some time to make the necessary process changes to ensure they’re in compliance. Taken all together, it’s a heavy lift.
But what does this mean for government? In the course of delivering services, taxation and regulation, the public sector must collect a lot of personal information. That same data is then available by extension to any number of private-sector partners. If a breach occurs, will citizens be comforted by fingers pointed at a third party?
Many leading jurisdictions have started to hire chief privacy officers, granting them a seat at the table alongside agency leaders and technical staff at the outset of a project to ensure the protection of citizen data is adequately considered. It’s a good start.
Experts strongly caution against jumping on new tech partnerships that hype smart city benefits, or at least to do so with eyes wide open. Vendor profit often comes not from the size of the contract, but rather the citizen data it allows them to collect. Government, and those who contract with government, must be held to a higher standard when it comes to privacy.