December Privacy Happenings

The Newest Business Disrupter

It’s undeniable – we are plugged in.  Digital devices permeate nearly every facet of our lives, and the digital universe continues to expand.  As these devices become more prevalent, larger proportions of our daily lives are stored, managed, and processed online.  A 2019 Pew report indicated roughly 6 in 10 Americans believe it is not possible to go through daily life without having their data collected, and that was before the pandemic forced us to be even more connected to the digital universe.  As a result, it’s not surprising data breaches have become more worrisome and privacy regulations have become more numerous.

Consumers want Control

There is no shortage of large privacy scandals impacting millions worldwide.  Here’s a reminder of just a few:  Equifax, British Airways, Marriott, Cambridge Analytica involving Facebook, LinkedIn, Colonial Pipeline.  While observing the fallout of these scandals, it’s evident their large fines and service interruptions raise eyebrows.  However, their impact on reputation, brand and revenue is what forces organizations to shift attention to the crucial strategy of privacy.

Data privacy is here to stay and it’s not just a legal requirement.  Consumers are growing more aware of the value of their personal data and demanding their data is handled responsibly.  According to USA Today, data privacy is the #1 social issue Americans would like businesses to address.  Privacy regulations enacted around the world are attempts to calm fears and force organizations to be better data stewards.  However, 70% of internet users in the UK and US are now more concerned about their online privacy than they were a year ago.  Customers move their business elsewhere for the following reasons:

• Lack of transparency
• Breach of personal data
• The creep factor – too much knowledge about “my world”

Make Data Privacy a Key Business Differentiator

Instead of taking a defensive approach to data privacy which simply meets regulatory requirements, what if organizations turned their privacy practices into their next big differentiator.  Businesses historically have found a competitive edge by targeting the right customers with the right offerings.  If 70% of internet users continue to be concerned about their online privacy, ethical data management must be a HUGE part of the right offering.

To make trust a differentiator, organizations must take data privacy seriously and weave it into all business practices and employee training.  Organizations must control the data collected, how it is used, with whom it is shared, and for how long it is retained.  Gone are the days of collecting all the data one can and figuring out what to do with it later.  Consumers are well-aware of the value of their personal data.

Compliance doesn’t have to be a headache.  Here’s what to do to make trust a competitive advantage:

• Establish robust, transparent privacy practices that do more than just comply with legal obligations
• Appoint a privacy officer but educate everyone to be responsible for data, governance, and consent
• Secure data against internal and external unauthorized access using industry-recognized frameworks
• Communicate with customers to support them in controlling their own data privacy
• Implement simple, understandable consent mechanisms that explain to consumers why, when, how and for how long their data is collected and stored
• When appropriate, use AI tech, but keep it in check

More than 5 years ago, a Forrester report foreshadowed that privacy and data security would be competitive differentiators.  Some mega companies like Apple were paying attention and put privacy at the top of their agenda as evidenced by their recently introduced AppTracking Transparency opt-in framework and a privacy policy stating, “Privacy is a fundamental human right . . .  We design Apple products to protect your privacy and give you control over your information.”  Forward-thinking organizations nurture consumer trust by properly managing the “give-to-get” ratio.  Ethical data management is not just good for your customers; it’s critical to your brand, reputation, and bottom line. 

2021 in Review:  Privacy Headlines

Data Breaches

Data breaches frequently made the headlines throughout 2021.  Phishing and ransomware proved to be the two most popular tools for bad actors.  Fines and number of affected individuals were massive — not to mention service disruption.  The Colonial Pipeline ransomware attack by DarkSide disrupted the petroleum supply chain along much of the East Coast.  Facebook saw 214 million records breached, and Amazon Europe was fined a record breaking $845 million for misusing customer data for targeted advertising.

What’s especially concerning according to the Identity Theft Research Center (ITRC) is that authorities seem to be more resistant to discussing data breaches.  For example, “One state has not posted any data breaches since last September. Withholding important information or failing to post notices on a timely basis may serve to prevent individuals from taking actions to protect their identities.”  In comments prepared for the US Senate Committee on Commerce, Science and Technology, James Lee, CEO of ITRC indicated data quantity is no longer the goal of an attack; data quality is.  The move is away from identity theft and towards identity fraud where thieves monetize the data they steal.

At the same time, the trend is for organizations to take data privacy seriously and not simply just meet regulatory requirements.  Organizations are working to make trust a differentiator and weave it into all business practices and employee training.   Gartner reports that by 2023, companies that earn and maintain digital trust with customers will see 30% more digital commerce profits than their competitors.

US Privacy Laws

Throughout 2021, privacy laws surfaced around the globe.  New regulations were enacted in Canada, Asia-Pacific, Latin America, Europe, and Africa to name a few.  In fact, the IAPP publishes weekly Global News Roundups summarizing global privacy activity.  Some of these newly enacted regulations such as China’s Personal Information Protection Law had very short runways before taking effect.

With so many international regulations and not enough newsletter space available, let’s focus on US 2021 highlights.

• Although the CPRA was approved by California voters on November 3, 2020, it’s worth including with 2021 highlights as many states introducing regulations throughout the year used it as a blueprint. It’s expected more states will do so during their next legislative sessions.  The CPRA amends the CCPA and will take effect on January 1, 2023.  However, it contains a 12-month lookback provision, meaning organizations must make sure their data collection practices are compliant with the CPRA from January 1, 2022.  This regulation brings California’s comprehensive privacy laws closer to those of the GDPR.  Among other things, it introduces new consumer rights such as the Right to Rectification and the Right to Limit Use and Disclosure of Sensitive Data.  In addition, it creates an agency, California Privacy Protection Agency, to enforce CPRA compliance.
• The Virginia Consumer Data Privacy Act (CDPA) was signed into law on March 2, 2021, and takes effect on January 1, 2023 – same day as the CPRA. The CDPA is the second US comprehensive data privacy law and mirrors the CPRA in many respects.  However, a few key differences exist such as consumers must opt-in to the collection and use of their sensitive data.  In addition, it requires Data Protection Impact Assessments for any processing activity involving targeted advertising, data sales, profiling, sensitive data, or any processing that may increase a “risk of harm”.
• The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and takes effect July 1, 2023. It’s the third comprehensive data privacy regulation in the US.  Again, this regulation is like California’s and Virginia’s but will take some additional efforts to show compliance.  This regulation requires organizations to implement a means for consumers to opt-out of the processing of their personal data for purposes of profiling.  It also specifically indicates organizations can’t use dark patterns for obtaining opt-in consent from consumers.
• Unlike many other countries around the world, the US does not have a comprehensive federal privacy law. However, during 2021, several senators urged the Federal Trade Commission to use its rulemaking authority to create a “national standard for data privacy and security.”  They stressed these national standards should prohibit exploiting children and teens, include opt-in consent rules for the use of personal information, and provide global opt-out standards. President Biden also nominated Alvaro Bedoya to serve as an FTC commissioner.  Bedoya is the founding director of Georgetown Law’s Center on Privacy and Technology.  Following this nomination, the House Committee on Energy and Commerce voted to appropriate $1 billion over ten years to the FTC to establish and operate a new privacy bureau.  With its rulemaking authority, the FTC may now provide broader privacy and security oversight.

It’s still expected that more than 30 states will introduce some type of privacy bills in their upcoming legislative sessions, so stay tuned for another busy year on the privacy regulations front.

Data Retention atop the Priority List

2021 saw data retention and storage limitation become critical topics for legal, compliance and privacy.  Regulations and litigation associated with over-retention pushed retention to the top of information governance priority lists. Record retention practices and storage limitation are key data processing principles under the GDPR, but new US laws such as the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA) include similar data retention provisions.  Personal data must be stored only as long as needed to achieve the purpose for which it was collected.

Thoughts around data retention are shifting away from storing all data forever to a risk-based approach.  For example, in recent litigation based on Illinois’ Biometric Information Privacy Act, it was concluded that simply holding data longer than its specified retention period, even when no breach occurred, was privacy harm.  In addition to litigation risks, over-retention of data increases operational costs when responding to data subject requests and eDiscovery collections.  Organizations that over-retain data will have to search through masses of unstructured data to fulfill subject access requests especially when look-back periods expire.  In addition, consider the inefficiencies encountered by individuals searching for data just to complete their daily tasks.

The goal of retention and storage limitation principles is to minimize risk to the privacy and security of personal data.  The longer a business retains personal data, the greater the chances for unauthorized or unlawful access, use or disclosure of that data.

Save the Date

January 28, 2022 – International Data Privacy Day

An international effort to empower individuals and encourage businesses to respect privacy, safeguard data and enable trust.

IAPP Global Privacy Summit 2022 – April 12 – 13, 2022 | Washington, DC

The world’s premier privacy and data protection conference focusing on international topics, policy, and strategy.