By Jodi Daniels
Before 2018, privacy in the US—despite GDPR looming closer from across the ocean—remained a low priority compared to other seemingly more pressing cybersecurity issues. To say that privacy took a leap forward in 2018 is an understatement, and it’s now become a part of the national conversation.
Why? For the millions of businesses that process data on EU residents, GDPR became the biggest buzzword of the year. Getting ready for its effective date on May 25, 2018 was no small feat for companies and began a new era in privacy regulation. Preceding GDPR’s effective date, a data scandal between Facebook and Cambridge Analytica broke out exposing the sheer volume of data digital platforms can collect, the trail that data can travel, and the power of a social network. Not long afterward, the State of California passed the California Consumer Privacy Act (CCPA), a single state’s most comprehensive privacy law to date. Data breaches that heavily affected consumer data privacy continued to make the news and, with the increased rise of technology, a growing pressure from both regulators and customers for greater data transparency and data ethics standards placed privacy at the forefront of many legislative and regulatory discussions.
Let’s look back at the top five privacy themes of 2018 and how these themes will impact companies in 2019.
To many businesses, May 25, 2018 was THE biggest privacy day of the year as the EU’s new privacy law, the General Data Protection Regulation (GDPR), came into full effect. There were countdown clocks, emails flooding inboxes, cookie notices galore, and even a mad scramble to sign DPA agreements. 2018 was all about getting companies compliant with GDPR.
Many companies marched toward this date as if, once it arrived, their GDPR obligations would be complete. To privacy professionals, the initial GDPR compliance steps are considered the foundation and beginning of the GDPR journey. If your company pushed off GDPR compliance because you thought it didn’t apply to you or it was not a priority, now is the time to realize you probably cannot ignore it any longer. 2019 will likely be the start of your compliance planning.
For those that have their GDPR compliance foundation, 2019 will be the year of making GDPR sustainable and including it into company operations. Companies can take three steps to begin this process:
Just after companies and privacy professionals thought they had a little break, California passed the California Consumer Privacy Act (CCPA) in June 2018. With its effective date arriving January 1, 2020, companies will need to spend the better part of 2019 preparing. For companies that complied with GDPR, much of that work will serve as a great baseline. However, differences exist between GDPR and the CCPA, so work will remain.
For any company that thought it escaped GDPR because GDPR was not in scope (i.e. it did not process any data on EU residents), it may need to comply with the CCPA. Companies will need to consider if they will adopt measures only for California residents or for all users. Customers residing anywhere may expect the same rights as a California resident. If a non-California customer makes a request and it is not honored, that customer may take their disappointment and frustration to the Attorney General, who could impose fines. The customer may also share their disappointing experience in a public setting like social media, which can negatively impact the brand’s image. Companies will need to factor in brand reputation management as it creates policies and procedures for managing privacy requests. As such, companies may find it best to adopt CCPA companywide.
Companies impacted by the CCPA should start with these three steps to comply in 2019:
While other states are looking at state privacy laws similar to CCPA, many of the big tech companies like Apple, Intel, Google, and more than 200 others support and encourage a national privacy law to avoid a 50-state patchwork privacy system. In December 2018, the Data Care Act was introduced by several Democratic senators, and the Center for Democracy and Technology introduced their draft position on a national privacy law. 2019 will certainly include a heated debate on a US national privacy law. However, a national privacy law is complex with questions of what to do with existing privacy laws such as HIPAA, GLBA, CANSPAM, TCPA, and the bills states could still pass. Companies will need to stay tuned into all these developments so that they plan to comply with all US privacy requirements. At this time, it is difficult to predict which will move faster—the states or a federal privacy law.
3. Facebook–Cambridge Analytica Data Scandal
The Facebook—Cambridge Analytica data scandal broke out in March 2018, revealing that more than 80 million Facebook profiles were harvested by Cambridge Analytica. That political consulting firm then created psychographic profiles and distributed pro-Donald Trump and pro-Ted Cruz material to target specific users. This scandal exposed the power of Facebook’s data and platform to the public, negatively impacting the level of trust that customers expect from Facebook. It also exposed all companies that sell and manipulate data based on people’s online actions. The basis for GDPR and CCPA is to grant the individual control over their digital footprint and provide transparency about what data is collected, used, shared, and stored by a company. The impetus for passing CCPA came on the heels of the Facebook–Cambridge Analytica data scandal.
In 2019, expect more investigation into Facebook and its data practices as well as higher scrutiny into other companies selling personal data. States are increasingly more interested in what companies are doing with data they process, share, and sell. For example, in May 2018 Vermont passed into law the “Data Broker Law” which requires Data Brokers (among other requirements) to provide an annual registration statement that outlines their data collection, use, and opt out practices.
4. More Severe Data Breaches
As of the time of writing this article, the most recent breach in 2018 was the Marriott and Starwood breach that affected more than 500 million guests. The hackers had been in the company’s systems for more than four years. The Marriott/Starwood breach is just the latest in a series of severe 2018 breaches that show no sign of letting up in 2019.
According to Gemalto, 945 data breaches leading to 4.5 billion data records compromised worldwide occurred in the first half of 2018. Other significant name brand breaches included UnderArmour in May 2018 with 150 million records breached, and the Sacramento Bee with 19.5 million breached records announced in June 2018.
In 2019, we will see more data breach announcements due to new requirements under GDPR that require companies to report data breaches within 72 hours. And with the CCPA’s impending security requirements, companies should ensure that they have the latest industry standard security measures in place, follow policies and procedures, and conduct incident and breach simulation exercises.
5. Data Ethics and Transparency
Along with the privacy concerns raised by the Facebook–Cambridge Analytica data scandal, we also saw an incident with Fitbit’s sharing the location of secret military personnel as reported in January 2018. This incident identified the need for privacy by design and the recognition that always collecting location information in data-centric devices can have implications that need careful consideration at the outset of product design. With the increase in connected cars, internet of things, smart home devices, predictive analytics, and artificial intelligence, companies must consider legal requirements related to privacy. Sometimes, no law exists covering a particular collection or use of data. In this situation, companies must balance benefit with customer expectation and company values.
Identifying what data to collect and how it’s used needs thorough discussion during a company’s planning stages. Data collection and its use in these connected devices also raises the concept of data ethics which, in 2019, will become even more important for companies to consider. With continuing massive data breaches and more awareness around the increased reporting of companies selling, sharing, and leveraging personal data for profit, customers are demanding better data transparency. A core tenet under GDPR and CCPA that companies need to address is to inform individuals how data is collected, used, stored, and shared—and what choices the individual has over that information.
In 2018, privacy became a top buzzword for good reason. In our global economy, GDPR affected businesses around the world. Data breaches continued to make headlines and data scandals like the Facebook–Cambridge Analytica scandal exposed how personal data is collected and used online in the inner workings of companies. This led to the passing of the strictest privacy law in the United States, the CCPA.
Companies in 2019 should operationalize GDPR and begin taking action for CCPA compliance. The importance of a strong security program and data breach preparation should remain a priority. Incorporating thoughtful discussion about privacy risks is also a must when working with technologies like AI, connected devices, and advanced data analytics.
Further, in 2019, we can expect privacy to remain a front and center buzzword with increased state regulation, fine announcements under GDPR, and greater expectations for companies to adopt GDPR. Companies will also be significantly affected by the updated ePrivacy Regulation (the EU marketing law that will replace the current ePrivacy directive) that will put this regulation in greater alignment with GDPR.
Stay tuned for deeper dives into these and other privacy topics in 2019. If you have a thought on what you want to hear about privacy, reach out to email@example.com. Jodi Daniels is Founder of Red Clover Advisors, a data privacy consultancy that assists companies with GDPR compliance, operationalizing privacy, digital governance and online data strategy. www.redcloveradvisors.com or Jodi@redcloveradvisors.com