The Right to Be Erased is Coming to California, Along with Other Privacy Rights
In the last year, developers and DBAs have heard a lot about the General Data Protection Regulation (GDPR) law passed by the European Union. These regulations not only impact companies that are incorporated in Europe, but all companies processing the data of Europeans.
These new ground rules include obtaining consent before adding people to mailing lists, allowing people to revoke that consent easily, and requiring processes for handling personal data to protect the data by default.
The GDPR also allows individuals in the EU to request copies of information that a company holds about them, and grants “the right to erasure,” or the right to have their data removed. This is particularly an interesting issue when it comes to data stored in backups, and copies of data, which are frequently used for software development, test, and analysis.
These rights are now coming to the United States
If you didn’t pay much attention to the GDPR because your customers are located in the United States, it’s a great time to start reading!
Check out this post from the Electronic Privacy and Information Center (EPIC) regarding the California Consumer Privacy Act of 2018, also known as AB-375:
The Act will establish the right of residents of California to know what personal information about them is being collected; to know whether their information is sold or disclosed and to whom; to limit the sale of personal information to others; to access their information held by others; and to obtain equal service and price, even if they exercise their privacy rights. The Act will allow individuals to delete their data and it will establish opt-in consent for those under 16.
Data breach damages could add up fast
The Privacy act also allows consumers who are the victims of data breaches to seek damages. A lost laptop with a development database containing, say, 1 million unprotected email addresses might be liable for up to $750 of damages for each person impacted, or actual damages (whichever is higher).
The case for encrypting personal data in production, and masking or removing it from non-production environments has never looked so strong.
Concerned about privacy? This is progress
You may associate the GDPR with generating more email, rather than reducing it. Most of us got a flood of email around GDPR enforcement day.
But in the long run, these are tools that give you, as an individual, a voice to say whether or not you want to receive messages, and to exercise control over what data companies maintain about you. The fact that California has now passed this privacy act gives companies in the United States (and those who handle data for people in the United States) even more reason to apply privacy protection by default to all of their customers — because more states may be next.
Are you a DBA or developer? This can look great on your resume
I’ve met more than one person who has had a tough time scrambling to get their processes and scripts ready for the GDPR regulation. And it wasn’t always fun.
If you’ve already started down that road, the California Consumer Privacy Act is just another reason that what you’ve done is worthwhile, and that the business processes and code patterns you’ve developed are going to look just great on your resume and work well for you in the future.
If you haven’t started down this road yet, now is the time to start investigating the types of data your company processes, the nature of the data, and how you protect that data. When thinking about “data,” this isn’t your production databases, it’s all the copies of that data. Even if your company is small enough that you won’t fall under the California Data Protection act, developing privacy processes and practices is now part of the job descriptions of DBAs and developers.
While GDPR is already in effect, the California Consumer Privacy Act is scheduled to go into effect on January 1, 2020.