GDPR sparked a global shift in how (and when) organizations start thinking about the data they collect, where it’s stored, and how it flows.
The Cultural Shift to Data Privacy
In the wake of the General Data Privacy Regulation (GDPR), we’ve seen data privacy laws change in countries like Canada, Australia, Brazil and a patchwork of data privacy laws enacted at the state level in the U.S. where Congress is currently attempting to race towards a federal law before the California Consumer Privacy Act (CCPA) goes live in January of 2020 (enforced July 2020).
Businesses can no longer afford to sit back and hope they aren’t regulated. They need a plan. For many, like our customer Otonomo, identity can play a large role in that plan.
Compliance in action: Otonomo Case Study
Based in Israel, but doing business globally, Otonomo provides an automotive data services platform for over ten auto manufacturers. This enables the manufacturers to securely share data with third-party developers. “It always starts with authentication,” says Itay Flikier, Otonomo engineering team leader.
Otonomo is extremely aware that violating GDPR or CCPA can have severe consequences. “Because we’re dealing with drivers’ personal information, which is very, very, very sensitive, we have to ensure that we have all the right methods in place,” says Otonomo’s VP of engineering Tomer Ranan.
Enabling Otonomo to trim development time by 10% and save $200,000 would have been nothing if the identity solution wasn’t GDPR-compliant: “We are a privacy-first company. Knowing that Auth0 is GDPR-compliant was a big factor in our decision to expand our partnership. It goes without saying, we feel very secure,” says Flikier.
What is data privacy?
How information is collected, stored and flows makes up a part of data privacy. What you collect, when, and why makes up the other bit. Data privacy isn’t a new thing. Many countries like Germany and the United States have had privacy laws on the books since the 1970s. But as technology has changed, these laws have had to evolve — and they needed to make it easier for consumers to understand and influence how their data is being used. "GDPR itself was a response to consumer demand for privacy and security, as was European cloud regions to ensure data sovereignty,” explains Auth0 Associate General Counsel Jonathon Keen. Because of the number of countries involved and the combined power of the EU, GDPR is often used as a benchmark or measuring stick for other data privacy laws.
What is data sovereignty?
As seen in the quote above, data privacy and data sovereignty often get discussed in the same breath. Organizations and governments often have requirements around where data is stored, which is data sovereignty. Whether you prefer deployment on the Public Cloud, Private Cloud, or Managed Private Cloud, Auth0 can accommodate compliance in the USA, Europe (including AWS Frankfurt), Australia, Canada, and Japan. Private Cloud can be supported in other regions (except China).
What is GDPR?
The General Data Protection Regulation (GDPR) came into force in May of 2018. Looking to defend EU citizens’ right to protect the data that is gathered about them, the regulation includes things like the right to be informed, the right to object, and the right to be forgotten.
FINES: GDPR violations can see hefty fines for non-compliance:
First tier: Up to €10 million, or 2% global annual turnover – whichever is greater
Second tier: Up to €20 million, or 4% global annual turnover – whichever is greater
STATUS: GDPR, like many European regulations, mandates a certain level of security without explicit guidance on how to implement it. As a result, there is no standardized way of showing terms and conditions, collecting consent, or returning or deleting data when a consumer asks. It will take some time before we understand 100% what a full GDPR compliance looks like, but as time goes by we will hear more and more about those companies that don’t meet the mark.
IN EFFECT: May 25, 2018
What is CCPA?
Largely billed as California’s GDPR, the California Consumer Privacy Act (CCPA) evolved from a 2018 ballot measure in California. The act includes a provision that companies must stop selling a consumer’s data upon request — at any time.
APPLIES TO: Anyone meeting any of these three thresholds who has “ties” to California via employees, consumers, or sales.
Annual gross revenues > $25M
Personal information (PI) for 50,000 or more consumers, households, or devices
More than half of a business’s annual revenue comes from selling consumers’ PI (NOTE: “consumer” is loosely defined; see below)
FINES: Fines of up to $7,500 for an intentional violation and up to $2,500 for an unintentional violation will be levied after a breach, but breached companies are open to civil lawsuits to pay $100 to $750 per California resident and incident—or actual damages—whichever is greater. For example, in a breach where up to 500 million people were exposed, if a fifth of those were Californians, the breached company could be out $750 million—or more.
STATUS: Rather than allow the ballot measure to go into effect as-is, legislators scrambled to pass the act within two weeks, which led to some ambiguities in the act’s language that are still being worked out, including the definition of “consumer” which currently includes employees and vendors and potentially B2B business contacts, and the length of time needed to assess damages. The law applies broadly to any business with “ties” to the state, including sales.
IN EFFECT: Jan. 1, 2020; enforced July 1, 2020, BUT the law applies to the 12 preceding months of data, so your 2019 data needs to be in order.
Data privacy is rapidly evolving
Our customers now ask data privacy questions at the start of a project instead of later on. Why? Because companies that have thought through data privacy end up with a stronger infrastructure and the ability to market themselves to consumers as more secure.
In a few years, it’s going to be exceedingly difficult to do business anywhere in the world without encountering data privacy laws. Although New York State’s extremely tough data privacy law failed, India, UAE, and China all have GDPR-like laws in the works.
How Auth0 can help with data privacy
Our goal is to help you achieve your privacy goals without sacrificing innovation. While you will ultimately be responsible for achieving compliance with any of the privacy regulations and guidelines, Auth0 is a flexible tool that can form an integral part of your privacy strategy. For example, we can help you with the heavy lifting through our standards-based platform that includes security options like MFA and Anomaly Detection as well as customization options that make changes and implementations easier and quicker. Auth0 deployment options allow for data sovereignty, customized consent options are available for the login screen to maintain a great user experience and we provide easy database migration options that won’t require password resets. For more information on how Auth0 can help you with privacy, see the resources at the bottom of our GDPR page.
We know this can seem like a complicated space. An Auth0 resource can help talk you through how streamlining identity can help you move towards data privacy compliance.
Please also check our blog for relevant data privacy updates.