Confusing Compliance: Risks of International Data Non-Compliance
By Eliza Schuh
February 3, 2021
As the world globalizes and digitizes, more and more companies are finding that they have customers in different countries and states, which presents the unique problem of satisfying the laws of each customer’s place of residence for setting up sign-on pages for your website. Often, compliance laws are vastly different and difficult to find accurate information on. For example, the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are the world’s strictest data privacy laws, both of which require compliance if even a single of your customers resides in the EU or California. Since non-compliance can come with hefty fines, however, outsourcing your log-in page may ultimately be a safer and less costly option.
The European Union’s General Data Protection Regulation (GDPR) is currently the most comprehensive data protection law in the world. Enacted in 2018, the GDPR, among other things, requires encryption of personal data, accurate record keeping of data protection policies and data itself, and notification of authorities regarding breaches. While the law never explicitly covers password policy, passwords still fall under GDPR Article 32(1): “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,” recommending complex password requirements or the use of multi-factor authentication. Therefore, a specific GDPR compliant password policy is both poorly-defined and necessary to avoid scrutiny, making it incredibly confusing territory to navigate.
The United States, alternatively, does not have a federal-level law governing data protection, much less one specifically concerning sign-on pages. However, many states do have data protection laws, meaning even companies that operate only within the United States may encounter disparities in compliance law and often must hire expensive third party companies to navigate compliance. For example, in Vermont, data brokers must register with their Secretary of State and make their own information (such as their name and internet address) available to the consumer, but for the other forty-nine states, this is not required. humanID makes this easy as it does not save any personal identifying information, so is easily made compliant with any data privacy law.
The most comprehensive of American state laws is the California Consumer Privacy Act (CCPA), which was passed in 2018 but only came into effect on January 1st, 2020. It similarly mandates that companies “implement and maintain reasonable security procedures”, but it is not entirely clear as to what that means. However, the California Attorney General’s office provided a rough outline as to what it considered good data protection policy in its 2016 Data Breach Report. The CCPA stipulates the kind of “identifiable information” they want to protect, including biometric information, postal addresses, education information, online identifiers (like usernames) and other identifiable information often included in login criteria or security questions. Companies either have to protect this information or avoid collecting it altogether.
Hence, the use of single sign-on logins (SSOs) is often the easiest way to be compliant, because your company can request only the user data it needs. Currently, the most common SSOs are those of Facebook, Google, and LinkedIn. However, Facebook plainly states that their login does not include any GDPR adjustments. Despite curating a tool (Limited Data Use) to help advertisers with CCPA compliance, Facebook does not seem to have put out a statement concerning if Facebook has developed any adjustments for the California law. In the case of both laws, this places all compliance responsibility on the company that employs the SSO rather than the SSO themselves.
As of now, Facebook and other social logins can meet compliance requirements if your company maintains cookie and privacy policies as well as an easily accessible explanation and request for consent of the third party’s usage of user data. humanID, in addition to not storing any data, does not supply your company with any personal identifying information due to its personal privacy-centric design, making it inherently easier to be GDPR compliant. Using a consent request, single-sign logins generate less data and therefore raise less compliance issues when implemented correctly. With all the complications GDPR poses, one might be tempted to go back to paper–at least for office sign-ins. But sign-in books are difficult to make GDPR compliant. They are usually not encrypted, and GDPR stipulates that personal data must be eliminated as soon as possible. So even for simple office sign-ins, a secure and adequately implemented single sign-on may well be the easiest route to compliance.
Violations of these compliance laws can be expensive. GDPR violations are two-tiered. Less severe violations are subject to a fine of Art. 83(4) GDPR, “up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher,” with more severe violations earning a penalty of Art. 83(5) GDPR, “up to 20 million euros, or in the case of an undertaking, up to 4% of their total global turnover of the preceding fiscal year, whichever is higher.” The most expensive noncompliance fine was given to Google, at 50 million euros–almost a quarter of the 220 million euros in fines that have been issued in total. The CCPA issues fines by violation, starting at $100 per person with a maximum fine of $7,500 per violation. It may sound small, but it could easily add up to millions of dollars in fines.
In a globalized economy, compliance under different laws can be incredibly confusing and costly. Frankly, it is incredibly difficult to find accurate and certain information on how best to implement compliant privacy protections, but also incredibly risky to implement them incorrectly. Log-in pages in particular are niche and their compliance implications are much less well- documented than those of marketing, and an outsourcing of the risk by employing an external company like humanID that focuses on data privacy and sign-on compliance may ultimately be less costly.