For startups and small and medium-sized businesses (SMBs), “Move fast and break things” is no longer a viable philosophy for data privacy. Today’s startups and SMBs face the same relentless pressure to innovate, grow, and scale as the Silicon Valley darlings of yesteryear but must contend with a slew of new laws demanding much greater care in how customer data is handled.
The rapidly shifting attitudes and regulations governing data privacy are putting executives in a challenging position. After all, customer data remains an essential asset in doing business, and tasking developers to build and maintain identity management tools is costly and time-consuming and pulls them away from working on your company’s core product.
Data privacy laws have existed in Europe, the Middle East, and Africa for some time, but we’re in the midst of a new wave of global laws, led by the EU and California. Given the threat of massive fines, and the genuine public interest in preventing data mismanagement, startup and SMB executives are having to give data privacy greater consideration than in the past.
In this piece, we’ll offer a primer on current and upcoming data privacy laws and discuss how outsourcing identity management can make you compliant without sacrificing growth.
Catch up to (and get ahead of) the laws
The current data privacy laws differ in their specifics, but they operate from similar sets of principles. The most fundamental shared mandates concern the right of users to access and control their personal data and the obligation of companies to disclose a breach of such data.
To comply with these laws, companies must be transparent in communicating their data practices and offer users the means to control, export, and remove their data.
Looking at the two most prominent laws and the others they have inspired will give executives a sense of where these trends are heading.
General Data Protection Regulation (GDPR)
The EU’s landmark privacy legislation set the standard for the new age of data privacy by emphasizing user consent and calling for transparency and accountability in data collection. The GDPR applies to any company (not just tech) that processes the data of EU residents, regardless of the company’s size or where they are headquartered.
Anyone who doubted the seriousness of this law has been proved wrong by the wave of GDPR fines issued in recent months, prompting one Gabe Morazan, director of product management at CrownPeak to dub 2019 the “year of enforcement.”
While the fines levied against Google and other major corporations have grabbed headlines, smaller companies are far from exempt. TechRepublic reports that in the past year, a Portuguese hospital, a Danish taxi company, and the German social media company Knuddels were all slapped with penalties for failing to adequately protect, delete, or anonymize data. As TechRepublic states: “It does not matter to the European data protection authorities whether violations of the provisions of the GDPR are unintentional mistakes stemming from neglect, laziness, sloppiness, or ignorance.”
California Consumer Privacy Act (CCPA)
California’s privacy law, which takes effect January 1, 2020, has a great deal of policy overlap with the GDPR, though there are also substantive differences. The CCPA applies to companies with customers in California, provided they: - Have a gross revenue above $25 million - Hold data on more than 50,000 consumers - Earn at least half their revenue from selling personal data.
The CCPA allows for personal data to be collected, used, and sold, provided it is sufficiently deidentified. However, much like the GDPR, it requires that companies make their data collection policies available to customers and give them the ability to opt out of certain types of reselling.
CCPA has also undergone several significant amendments that require, among other things, for data brokers to register in California, for businesses to require at least two ways for customers to request information, and a one-year exemption on collecting employee data.
Future (stricter) legislation
More laws are currently on the books or in the works that go much further than CCPA or the GDPR. However, in this environment, it’s easy for founders to be confused about which set of laws to tailor their product to. But generally, it’s a good rule of thumb to build on the principles laid out in the legislation discussed above, while still keeping an eye on the latest developments.
The EU’s ePrivacy Regulation hasn’t passed yet, due to concerns that it’s too strict in prohibiting benign forms of tracking and cookies, but some form of it is likely to pass in the coming months.
In the United States, Maine's privacy law goes into effect in July 2020, and as the National Law Review explains, it “requir[es] broadband internet service providers (ISPs) to obtain a customer’s express, affirmative consent before using their personal information, including browsing history.” Meanwhile, enforcement of Nevada’s Senate Bill 220 became effective on October 1, 2019, and that law may be more aggressive than the CCPA in its requirements for letting consumers opt out of data sales.
Many of these laws have different definitions for crucial concepts, such as what constitutes personally identifiable information and how it should be anonymized. This patchwork of legislation presents a minefield that any company would struggle to navigate. Many observers think Congress is highly likely to pass unifying federal data-privacy legislation in the near future, but until then, whichever state passes the strictest laws effectively forces every company to play by its rules.
Get control of your data
Like it or not, laws like GDPR and CCPA represent a huge paradigm shift in data privacy, and meeting their demands requires an immediate response. Of course, changing how your company handles data is a challenge for any team, and especially for startups and SMBs that are also trying to grow.
That’s why a Wall Street Journal survey found that, even when faced with serious fines and a loss of public trust, only 52% of companies expect to be CCPA-compliant by the January 2020 deadline.
The unpleasant truth is that most companies don’t even have the ability to assess their current data privacy picture. User data is frequently siloed across applications, and companies frequently lack clear protocols for managing permissions.
You can’t tackle your data security until you have a holistic, high-level view of how it’s being accessed, and by whom, so getting this bird’s-eye view is the first step in getting compliant.
The Auth0 dashboard lets you manage all of your users, employees, and third parties, quickly enabling or revoking permissions as needed. This kind of intuitive, de-siloed interface will be critical in order for companies to comply with the legal mandate (shared by the CCPA and the GDPR) that users be able to access, delete, or change their data in a timely fashion.
Once you have an organized look at your users, the best way to minimize your company’s exposure to fines and scandal is to minimize your data’s exposure to breaches. Implementing multi-factor authentication (MFA) can give your company a huge boost in security, not just from cybercriminals using stolen user credentials but also from stolen admin or third-party contractor credentials, which can lead to massive data breaches.
For example, Apple recently announced that any app on its platforms that allows for third-party sign-in options must also include Sign In with Apple. This is considered a privacy-friendly option since Apple doesn’t share information on nearly the same scale as Facebook or many other social login providers.
Auth0 is already integrating it into Universal Login as an out-of-the-box option. This integration is a must for any company that wants access to the App Store, and with Auth0, you can do it by flipping a single toggle.
Shift your philosophy, not just your policy
These laws, and the public outcry that brought them into being, require that companies make data privacy a foundational principle woven into their entire operations. The legislators behind CCPA and GDPR have indicated that they will consider whether companies have acted “in good faith” when issuing fines. Proving good faith starts with aligning your company’s philosophy to the legal demands, and there are some actionable methods to put that into practice.
Changing your company culture around data privacy and security starts with getting internal alignment. Develop employee training that educates your team on how to avoid social engineering attacks, such as phishing, and on the importance of following protocol in protecting data flow.
Embrace transparency in your cybersecurity and data collection policies to avoid appearing underhanded. Failing to explain how and why you’re collecting data leaves you vulnerable to scandal. Email startup Superhuman became the most recent example of this phenomenon. Users learned the company collected location data via tracking pixels, and, despite a public apology, the damage to Superhuman’s credibility has been done. The backlash from this type of scandal can hurt even established companies, but the reputational damage is particularly devastating to startups and SMBs.
It’s hard to shift gears around data privacy overnight, and it’s even harder if you try to do it all yourself. For many startups and SMBs, off-loading identity management onto an IdaaS company like Auth0 is the most cost-effective way to shift your approach. If you’re rapidly scaling, and your team doesn’t have the bandwidth or expertise to address all of these issues, you can reap the benefits of Auth0’s accreditations and integrations without having to worry about constantly updating and maintaining identity to keep pace with the next set of laws — leaving you free to focus on your business processes and the core business driving your need for an identity solution.
"It’s hard to shift gears around #CCPA or #GDPR overnight, and it’s even harder if you try to do it all yourself. How offloading #identity can help."
Compliance doesn’t have to stall growth
Even if your company is under the minimum size for CCPA fines, you should still design your identity solution with growth in mind. You don’t want to lose out on landing a major customer because they aren’t confident your policies are up to their standards.
Conversely, you don’t want to slow your company’s growth by making your developers code for the complex and ever-changing demands of data privacy. For the vast majority of startups, off-loading identity management to experts is the smartest choice to allow you to focus on delivering your product. To learn more about your legal obligations and how our platform can meet your company’s needs, reach out to an Auth0 representative.
"Even if your company is currently under the minimum size for #CCPA fines, why you should still design your identity solution with growth in mind."
The Auth0 Identity Platform, a product unit within Okta, takes a modern approach to identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.