It has been an exciting few years for privacy. The passing and enforcement of new laws (such as CCPA and GDPR) and modifications made to others have caused a flurry of activity across organizations of all sizes. Decisions have been made about how meeting the laws’ requirements by changing procedures and policies. Now it is time to move forward, not dwell on what has happened in the recent past.
Customer reaction is coming
There has been an increased focus on data subjects’ rights in recent legislation, a trend I expect to continue and become further amplified. For an organization operating in multiple jurisdictions decisions needed to be made regarding how to apply these rights to the customer base.
For example, under CCPA consumers have the right to opt-out of the selling of their personal information. Organizations needed to decide if this right should only apply to California consumers or to their entire customer base. On the one hand, operationalizing the processes for the entire customer base is easier than determining if a consumer is covered by CCPA. On the other, there are revenue implications to consider.
There is also consumer reaction to be acknowledged.. If you provide a data subject right to one portion of your customer base, what will be the reaction of the remainder of that population? As one of my neighbors exclaimed “You mean if I lived in California I could stop the sale of my personal information, but since I live in Florida I have no rights!”
Privacy has become more than a compliance concern. It is a tool to differentiate your business from your competitors. By evaluating customer reaction to your implementation of data subjects’ rights, for example, the privacy program can be a differentiator for your organization and impact future revenues.
New laws and regulations are coming
As we have seen, privacy laws and regulations are continuously evolving. One way this happens is the creation of new laws and regulations. In 2019 we had seen new laws introduced in several countries as well as in more local jurisdictions such as US states. Some of these are ultimately rejected by legislative or other rule-making bodies, but just as many are enacted.
Privacy Professionals recognize the need to monitor the regulatory and legal landscape of the jurisdictions where their organizations operate. We also need to monitor other, privacy-leading jurisdictions to see how the events in those areas may eventually impact their organization.
For example, being aware of data subjects’ rights requirements under GDPR may be viewed as a precursor to similar requirements found in CCPA. CCPA is being used in other US states as a template for laws which they may enact. New York State’s defeated law, for example, looked very similar to CCPA, but added the requirement for a business to become a data fiduciary. Is this something we should be watching, and potentially preparing for, in the event it appears in other jurisdictions legislation?
New rulings and fines are coming
Another sign of privacy evolution comes in the forms of the interpretation of existing regulations and laws often with associated fines or other penalties. CCPA is only a few days old. Once the California Attorney General receives complaints, reviews situations, and takes action we will see how the law is being interpreted and applied. GDPR has been enforced for over 1 1/2 years with some notable actions taken and more visable on the horizon.
Privacy Professionals need to stay abreast of these interpretations to determine if their program properly interpreted the evolving requirements or if some adjustment is needed.
What should a privacy professional do?
It is always fun and appropriate to look back to see what we, as a privacy industry, have accomplished. Our responsibility to our organizations, however, is to look forward to anticipate the evolution of privacy requirements.
In addition to monitoring the legal and regulatory environment, we must also monitor the evolution of our organization to see if a change in business operations or technology changes the requirements we must comply with.