Data privacy will continue to be a big focus for businesses in 2023. The U.S. states of Virginia, California, Colorado, Connecticut and Utah have already enacted or plan to enact legislation this year. We have also seen positive momentum around federal legislation with the American Data Privacy and Protection Act (ADPPA) and more government and regulatory agencies are getting involved, like with personal financial data rights.
Business-impacting regulations will keep coming and they will not be going away. So security professionals must be prepared, no matter the size of the organization. Company trust is also going to have a more significant impact on customers’ buying decisions. While these major changes can be overwhelming, there are several steps that businesses can take now to help comply with rapidly-evolving data privacy regulations and maintain trust with consumers.
Map company data
A good first step is to map company data in order to understand where consumer and employment data lives, how it’s used, who has access to it and potential risks that it might pose. It's important to gain visibility into structured and unstructured data, especially in today’s hybrid work environment. This can include anything from addresses and employee records to emails, photos and videos.
Several U.S. state privacy regulations, including the Virginia Consumer Data Protection Act and the Colorado Privacy Act, and international laws, such as the European Union’s General Data Protection Regulation (GDPR), also require data protection and privacy impact assessments. In a nutshell, assessments are designed to identify and minimize data risks.
Review data privacy policy
Updating of an organization’s data privacy policy is critical as well. Typically, a privacy policy is a document that details how a company handles customer, client or employee information. The privacy policy is prominently displayed, often on the company’s website. Because an organization's privacy policy is important to key stakeholders, it’s always best to keep it updated.
All five of the U.S. state regulations that will go into effect in 2023 have consumer notification requirements that could impact a company’s data privacy policy, particularly if it has not been reviewed recently. Similarly, Quebec’s Private Sector Privacy Act contains strict requirements for affected businesses. Up-to-date privacy policies will help organizations conform with new and changing regulations.
One aspect that is often overlooked when updating a privacy policy is that it’s a consumer-friendly business practice. With consumers taking their personal privacy more seriously, reviewing an organization's privacy policy shows that this is also top of mind for the organization. According to Cisco’s 2020 Consumer Privacy Survey, one-third of consumers are “privacy actives,” meaning they have stopped conducting business with an organization due to data privacy concerns.
Children's privacy is another area that is also getting more attention. The Children’s Online Privacy Protection Act (COPPA) from the U.S. Federal Trade Commission (FTC) imposes certain requirements on “operators” of websites or other online services that relate to the activities of children under the age of 13. Specifically, under the COPPA, these operators must receive verifiable parental consent before personal information is collected, used or disclosed from those under 13 years old. It’s important to note that state regulations may include special data privacy requirements for minors, such as the California Age-Appropriate Design Code Act.
Anticipate strict enforcement
Government entities and regulatory bodies are taking a closer look at how organizations handle their data. For example, the California Attorney General’s office announced in August 2022 that well-known retailer Sephora would have to pay $1.2 million in fines due to violations of the California Consumer Privacy Act (CCPA). Sephora failed to disclose that it was selling customers’ personal data and the company also neglected to process requests from users opting out of the sale of their data. In addition, Sephora did not resolve their CCPA violations within the required 30-day time period.
More recently, in December 2022, the FTC announced that video game maker Epic Games would have to pay $275 million in fines for violating the COPPA — and $245 million for tricking users into making unwanted purchases. The fines for violating the children’s privacy law were reported to be the largest penalty to date for violating one of the FTC’s rules. Outside of the U.S., Ireland's data privacy board determined earlier in 2023 that Facebook and Instagram owner Meta had violated GDPR because of the company’s advertising and data handling practices.
Take action now
No matter where an organization operates, being aware of ever-changing data privacy regulations and how they specifically apply to a business is crucial. And as a business continues to evolve, so should it's data privacy practices — entry into a new business market, for instance, could expose an organization to privacy regulations that may not have affected it previously. At a time when there’s a growing need to respect data privacy — and enforcement is becoming more strict — understanding the short- and long-term benefits of compliance and heeding the best practices outlined above is imperative.