Data privacy update Q3 2021
In our latest update of the data privacy landscape, we look at legislative developments in Virginia, Colorado, New York, and China, and we offer insights on current trends affecting how businesses approach data privacy readiness and governance.
New and noteworthy
Virginia has become the second U.S. state (after California) to enact a broad, multiple-rights data privacy bill, the Virginia Consumer Data Protection Act (VCDPA). The legislation features an opt-in requirement for “sensitive data,” which includes data collected from a child that the business knows is under 13 years old. VCDPA also provides for the right to opt out of the processing of personal data for the purposes of targeted advertising. Penalties range from $2,000 to $20,000 per violation; $10,000 to $50,000 per violation if committed against an elderly person.
The recently enacted Colorado Privacy Act (CPA) requires that, for the processing of sensitive data, consent must be “freely given, specific, informed, and unambiguous.” The CPA also provides opt out rights for processing of any personal data concerning a consumer for purposes of targeted advertising, sale of personal data, or profiling, and imposes a 1-click opt-out method. Penalties can range up to $7,500 per violation.
The New York state legislature has re-introduced the New York Privacy Act (NYPA), and the New York Digital Fairness Act, which bear several similarities to CCPA and CPRA. If enacted, New York may become the first state in the United States in which consent requires full affirmative opt-in. NYPA also includes a requirement for data controllers to apply a fiduciary duty standard to their data processing activities.
On the global scene, China’s top legislative body has passed the Personal Information Protection Law (PIPL), which will go into effect November 1. The sweeping law is being compared to GDPR, particularly in the areas of data minimization and user consent, but is expected to be more strictly enforced. Fines for violations will range up to $7.7 million or 5 percent of the previous year's business revenue.
Increased scrutiny of monitoring and manipulation
of personal data
In the early years of data privacy legislation, a majority of the violations resulting in major fines were connected with data breaches—think British Airways and Marriott. Today we’re seeing a greater interest in curbing the monitoring and manipulation of personal data. Amazon, for example, is facing a GDPR fine of $883 million, more than double the amount of every other GDPR fine combined, based on the claim that its targeted advertising system is not based on “free consent” from users.
Here in the United States, California’s CPRA addresses digital practices of
• Monitoring: Essentially allowing users to say “don’t use my sensitive personal information” (which includes precise geolocation), “don’t track me from device to device,” and “don’t track me across unrelated businesses”
• Manipulating: "Don’t use ‘dark patterns,’” meaning digital interfaces that subtly manipulate people. This addresses the social media practices of creating and reinforcing filter bubbles or businesses “nudging” people in directions that benefit the business.
California’s Office of the Attorney General has clarified that collection by a third-party cookie provider may be considered a “sale” of personal information and must be tied directly to CCPA/CPRA’s “Do Not Sell” requirement. The AG is also mandating that CCPA-covered businesses honor Global Privacy Control (GPC) as a do-not-sell request. GPC is an initiative by a group of publishers, privacy advocacy organizations, and tech companies to simplify users’ opt-out requests and is currently being offered by several browsers, including Brave, DuckDuckGo, Disconnect, and Privacy Badger.
Increased focus on children’s data privacy
UNICEF reports that one in three Internet users around the world is a child and warns that “too little is done … to safeguard the trail of information their online activities create.” Regulatory bodies are taking heed and acting to curb the monitoring and manipulation of children’s personal data. France’s CNIL has launched a toolkit for the Digital Rights of Children, and the UK's Age Appropriate Design Code (AADC) creates a safe space for children to learn, explore, and play is at the forefront of data privacy legislation. United States congresspeople have sent inquiries to U.S. companies about their intentions to comply with the UK AADC and whether they intend to implement those changes for users in the U.S. Also in the United States, Virginia’s new data privacy law (see above) includes special provisions for data collected from children under 13, and other states are showing interest in applying similar standards.
Rather than taking a regulation-by-regulation approach (more on this below), businesses would do well to begin operationalizing protection of children’s data as part of their ongoing data privacy program.
Shifting focus towards trust and data ethics
Some companies continue to take a state-by-state approach to data privacy readiness, creating addendums to their policies with each new regulation. When we work with clients, we advise them to aim for the “high water mark”—to align with the strictest law that applies to them in a way that also covers other, less stringent regulations. By doing so, they have an opportunity to increase consumer trust while also making the task of operationalizing data privacy in a shifting regulatory landscape less burdensome.
Shifting the focus towards trust and ethics also supports efforts to gain executive buy-in. In some organizations, data privacy champions are encountering challenges gaining buy-in from executive leadership for a data privacy investment plan. When leadership pushes back with the question “Didn’t we address this last year?” champions have the opportunity to clarify the nature of data privacy as a constant that will continue to evolve and impact the business world. When leaders are presented with a clear vision for adapting to this evolving environment, we find they are more likely to buy into the proposed data privacy plan and to lead from the top down. With nine out of 10 Americans considering the privacy of their personal data as a human right, this is the wise business course.
We advise our clients to aim for the “high water mark”—to align with the strictest law that applies to them in a way that also covers other, less stringent regulations.
How mature is your data privacy program?
Just because a data privacy program has been in place for several years, this doesn’t necessarily mean it’s achieved maturity in terms of readiness to address the evolving demands of today’s environment. When we work with clients to assess the maturity of their data privacy programs, we evaluate their people, processes, and technologies to arrive at a maturity score between 1 and 5:
3: Privacy ready, major regulations modifications require engagement to obtain readiness
4: Established privacy practices and tools supporting scalable and sustainable readiness
5: Industry leaders and innovators, remaining ready and using latest technologies
If your data privacy program has been in place for a few years, this might be a good time to assess your program’s maturity and put together an action plan for reaching the next level.
If you have any questions about what’s going on in the world of data privacy and how your business should respond, feel free to reach out to us.
General Manager of Data Privacy Jill Reber is a nationally recognized expert on data privacy—particularly GDPR, CCPA, CPRA, and other data laws. She has spoken at events sponsored by American Banker, International In-House Counsel Journal, the American Bar Association, TDWI, and other organizations. She also serves on the advisory board of the Association for Data and Cyber Governance.
Evan Alkhas is a Strategy Manager at Logic20/20 with extensive knowledge in strategic development, operating models, business process optimization, and new product innovation.