Highlights:
-
- Next year the U.S. will see five new state privacy laws, and privacy leaders believe other states and jurisdictions will soon follow suit.
- Enforcement at the state level may feel clumsy at first due to a lack of bandwidth and subject matter expertise.
- We might see some creative approaches to legal action related to privacy, which leaders should look out for.
- There are a number of ethical concerns related to data privacy to be considered.
- Don’t be an outlier in your industry — benchmark with leaders at similar enterprises.
The evolving privacy landscape
It’s clear the data privacy landscape is experiencing considerable growth and evolution. Moving into 2023, the U.S. will see the implementation of five new state privacy laws, and this momentum is expected to continue.
By the end of 2024, Gartner predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations. Those expanded regulations will certainly require many enterprises to ramp up their privacy efforts if they want to avoid hefty fines and reputational risks.
With so much growth, many are asking what the future of privacy and data protection holds.
During a panel discussion on upcoming privacy regulations hosted by the Data Privacy Board, three industry leaders shared their insights and predictions for what’s on the horizon.
Things might become more difficult before they get easier
In the absence of a comprehensive federal privacy law, individual states have taken action, and this patchwork of regulations has created challenges for enterprise privacy professionals.
Unfortunately, Mike Hintze, Partner at Hintze Law PLLC, said he’s anticipating some of this complexity to continue, saying “I think it’s going to get more complicated before it gets easier.”
Looking ahead, Mike said he expects the trend of new privacy laws to continue as more states follow California, Colorado, and others. He also anticipates a trajectory toward stricter regulations on how companies collect and utilize data.
“Hostility toward tech and big business is no longer a privacy issue,” Mike added.
When it comes to the enforcement of these regulations, Harriet Pearson, Senior Counsel at Hogan Lovells, said she’s also anticipating some complications. She said state regulators are still “feeling their way,” and initial enforcement attempts might feel clumsy.
This is in part due to a lack of staffing and critical subject matter expertise and deep privacy experience. Frankly, Harriet said states have limited bandwidth and incentives to take nuanced positions when it comes to determining if an enterprise was compliant and acting in good faith.
“The consideration here as to what’s practical and how compliance can look in an organization that is reasonably putting in the effort to put a compliance program in place and evolve it. That level of nuance is going to be hard to find,” she said.
Watch for creativity in legal action
Audrey Jean, Senior Vice President of Legal and Chief Privacy Officer at AARP, also drew attention to the creative methods attorneys might use to enforce privacy standards and how it can create risk for enterprises.
For example, Audrey highlighted a current wave of litigation being fueled by the 1988 video privacy bill, The Video Privacy Protection Act (VPPA). She pointed out how this bill is being used to pursue privacy-related claims concerning the collection of online data.
Adam Aguirre, Associate at Foley Hoag LLP, discussed this trend in his article asking if the VPPA is the “new litigation weapon for consumers.”
Adam said there’s been an uptick in claims against companies for their use of Meta’s tracking tool under the VPPA, which suggests lawyers may be attempting to stretch the law more broadly than Congress perhaps intended.
“Plaintiffs’ lawyers are now seeking to use the VPPA to prevent companies from disclosing information relating to their viewing habits online,” Adam wrote.
With new capabilities comes the need for new regulations
Audrey also echoed Mike’s statement that we can expect to see more states rolling in comprehensive data privacy laws. She added that there is more knowledge that needs to be regulated.
It’s no secret that data is rapidly increasing. In 2022 alone, the world will have produced and consumed 94 zettabytes — a staggering figure. We’ve also seen new capabilities in artificial intelligence and machine learning, ad tech, and more.
Audrey highlighted the importance of a privacy by design mindset when considering these new technologies.
Certain capabilities like facial or fingerprint recognition could trigger specific statues in a way that was perhaps not contemplated at their inception, Audrey said.
The intersection of data privacy and ethics
Advancements in AI have spurred a number of ethical concerns related to the collection and analysis of massive data inventories used to train machine learning models.
Mike highlighted some of these issues concerning ingrained discriminatory biases relating to gender, race, etc., and why privacy professionals should take notice.
Frankly, no company wants to serve as the poster child for unethical data usage. Mike said it’s important to consider your enterprise’s responsibility and understand and mitigate the potential impacts on vulnerable groups.
The intersection of data privacy and ethics spans beyond new capabilities. Harriet also pointed out the recent Supreme Court decision to overturn Roe V. Wade and how it might create further evolution of common law of privacy in the U.S.
Employees will seek to avail themselves of certain reproductive rights which could create tension with state agencies who seek to collect that information to enforce their restrictions on those health services — privacy is caught somewhere in the middle.
Harriet said, “It’s worth figuring out what those strategies are right alongside your compliance points.”
A Bloomberg law article stated, “It remains largely unknown how law enforcement and state health oversight authorities may attempt to access data related to reproductive health or how those efforts might affect broader data privacy policies.”
As a result, it’s crucial for enterprises to increase their awareness of relevant laws and examine their internal policies concerning data collection, use, and privacy.
Avoid becoming an outlier
Enterprises are facing a Pandora’s box of privacy concerns and regulations. Harriet urged privacy leaders to ensure their enterprises are not perceived as outliers in their industries.
In an ever-evolving industry, Harriet said benchmarking is a crucial tool and gave a nod to the Data Privacy Board — the confidential membership community where privacy leaders at large enterprises can get trusted insights.
She advised leaders to benchmark their policies and programs up against others in the industry to ensure they’re set up for success.
“If you identify that you’re an outlier with respect to certain key practices, go back to management and make some raucous because that will elevate your risk,” Harriet said.