Data privacy has become increasingly important in software development. Between consumer rights and data breaches, managing customer information appropriately is essential to business success. Ignoring data privacy laws can cost your business money, time, reputation, and more. Software development teams need to be aware of current data privacy laws and ensure that the software applications they are building consider these regulatory requirements. Further, they should be architecting their software solutions in a manner that provides flexibility for future regulatory mandates.
The Current State of Data Privacy Laws in the United States
Currently, there is a patchwork of data privacy legislation in the country due to the absence of federal level data privacy laws. While this may change soon states are currently left struggling to put together their own legislative frameworks. While state laws can be protective, it’s confusing and challenging for companies doing business nationally to comply with multiple variations of the same regulations. Things get even more complicated when conducting business internationally.
In the U.S., California passed the California Consumer Privacy Act (CCPA) in 2018 followed quickly by the California Privacy Rights Act (CPRA), which further reinforces the CCPA. California’s data privacy laws were modeled after the GDPR (General Data Protection Regulation) adopted by the European Union.
As California was the first state to implement meaningful data privacy laws, many other states are creating their own data privacy laws in the image of the CCPA/CPRA. Not only are states following after California, but so are federal lawmakers. While things are currently in a state of flux, one thing is certain: software development teams should take note. State laws for data privacy are proliferating and federal regulations are fast approaching.
What Privacy Rights Does a Consumer Have?
The state of California has established some guidelines and best practices that businesses should follow to protect and use customer data safely and ethically. In their laws, the state defines the major data privacy rights that consumers may exercise freely:
- The right to delete or correct inaccurate personal information
- The right to know what personal information the business is collecting about them
- The right to access their personal information and/or know whether the business is using it
- The right to know what personal information the business is selling and to whom
- The right to opt out of the sale or sharing of their personal information
- The right to limit the business’s use of their sensitive personal information
- The right to not be subject to retaliation for exercising their rights
These laws, which will likely form the basis of federal data privacy laws in the months and years ahead, establish that the consumer owns all the rights to their personal data. Businesses must comply with data privacy laws and do exactly as the consumer asks them to do with that information.
Software Data Privacy Principles
As a developer, you may be wondering how or what you need to do to keep stay compliant with data privacy practices. Here are some of the important steps that companies need to adopt in their journey toward data security and compliance.
Store Customer Data Securely & Leverage Prudent Protocols
In the past, organizations weren’t held responsible for the loss of customer information, only those who stole it. However, that has changed in recent years and businesses are liable if they lack measures to properly protect consumer data. That said, current data security laws tend to use vague language and do not detail specific security methods for developers to follow. Instead, the laws typically suggest “best practice” and “reasonable” security measures. Because software security is ever-evolving, any detailed law would need constant revision.
While prescriptive edicts don’t exist, there are several ways to help improve your software application data security. These include integrating proper data-mapping techniques into software systems to ensure organizations are fully aware of all the data they collect, where it is stored and how it flows through the business. When building software, developers should work with their business counterparts to minimize the data collected in the software application to only what’s necessary. For further protection, all data should be stored securely and optimally be encrypted at rest.
In addition, adopting proper DevOps hygiene (such as automation and continuous monitoring for possible data breaches or malware) can help improve code security. As is establishing two-factor authentication in software applications. These can be paired with additional measure such as: training employees in data security, performing formal risk assessments and keeping data access as limited as possible.
Once these practices are in play, not only will the business be better protected from stolen data, it will also be better positioned should it come under compliance scrutiny.
One guiding principle in data privacy laws is data transparency. Data transparency means that your business makes it clear what data you collect from the consumer and how you use it. Honoring the rights of the consumer and allowing them to know that their data is safe and accessible is the key to data privacy in software development.
- What do you collect? Do you collect personally identifiable data like name and contact information? Behavioral data? Payment data? You must disclose all the personal data you collect on the consumer whether or not they explicitly ask for it.
- How do you collect it? Explain how you obtain consumers’ personal data. Do you rely on form fills on your own website? Use data from social platforms? Use third-party cookies?
- How do you use it? Explicitly detail what you do with the personal data collected from the consumer. Is it only for functional or transactional purposes on your website or application, or do you use it for marketing? Do you share that data with other companies?
Allow Consumers to Exercise Their Right to Data Portability
Hand in hand with data transparency is data portability. In data privacy laws, the consumer typically has the right to all their personal data, meaning that they can instruct your business on what they want to know, how they want that used, or if they want it used at all.
Having processes and policies in place to handle these requests will allow you to respond to these requests quickly and efficiently and help prove your compliance with data privacy laws. Here are the most common data portability requests:
- “Tell me what you have on me.” If the consumer explicitly asks for all the information you have collected on them, you as the business must be able to provide this information.
- “Give me access to my data.” If the consumer requests that the business give them all the personal data you have collected on them, you must be able to do so.
- “Delete my data from your systems.” If the consumer asks you to delete all the personal data you have in your database on them, you must comply.
Developers should be mindful of how they will fulfill data subject access requests (DSAR) made by consumers when developing software applications.
Preparing for the Consequences of Noncompliance with Data Privacy Laws
To keep your business in compliance with new data privacy laws, it’s important to prepare for what is in effect today and what could potentially come tomorrow. The consequences for non-compliance and negligence are severe.
For example, if a business operating in California releases personal consumer data, the business can face statutory damages of $100–$750 per incident. (An incident here is defined as one piece of data, so the costs here can certainly add up quickly for companies with a large customer base.) Being prepared means taking the appropriate precautionary measures to reduce the chances that a data breach happens in the first place.
But what will you do if a data breach does occur? In the event of a crisis, companies should have prepared an incident response plan. An incident response plan details how an organization will handle security events should they occur, including helping employees understand the role that they will play in investigating the security incident and who they should be working with. Knowing that you have a plan for dealing with a security breach and how to organize a response can help you be prepared when you are thrown a curveball.
Why Data Privacy Should Matter to Software Developers
Being transparent in how you collect consumers’ personal data and what you do with it not only helps you comply with data privacy laws, but it also establishes trust with your customers. A good way to start is to understand what customers want in terms of data privacy, including transparency, security, and portability, along with clear communication and a solid understanding of their rights. Software development teams should be considering these business needs when developing software applications.
Both customers and businesses benefit from awareness of data privacy laws and the rights of the consumer. Building software solutions with the flexibility to adapt and respond to the shifting tides of data privacy legislation will help better position your company for success.
Disclaimer: This blog post is a high-level overview on data privacy law as it relates to software development. This is not a legal advisory, only a summary of current events in data privacy legislation aimed in increasing awareness of software development.