1. Fragmentation of data privacy laws
Companies need to figure out and identify how they will respond to the increasing fragmentation of domestic and international data privacy laws. There are now three states with comprehensive consumer privacy laws in the United States If you do business outside of the United States, the number of privacy laws increases depending on the jurisdiction. These laws are similar in their definition of what constitutes personal information (or personal data), however, there are also significant differences.
We are headed down a similar path to the breach notification compliance laws where we have 50 states, one district, and three territories with their respective laws that are very complicated and sometimes contradictory.
2. Expanding definition of personal information
We’ve seen the expanding definition of “personal information.” In the United States., what was formerly Personally Identifiable Information (PII) and included names, addresses and social security numbers is being expanded to include social media posts, photographs, internet search and transaction history, voice recordings, and Internet Protocol (IP) addresses. When the California Privacy Rights Act of 2020 (CPRA) becomes operational, it will introduce the concept of “sensitive personal information.” It provides consumers with additional rights related to it.
Think about the data breach notification laws in the United States – which essentially relate to the theft of and potential exploitation of someone’s financial identity. These laws generally refer to the theft and illicit use of someone’s identity related to their social security number, a financial account, or a state identification card. These laws were written to protect an individual from a bad actor going and getting a new credit card in your name and spending, racking up debt in your name, and significantly impacting your credit rating. With the expanded definition of what constitutes personal information, the privacy laws have identified new individual rights that a person has in information that someone else may possess about them.
3. Expansion of individual consumer rights
With the expansion of individual consumer rights, companies need to be prepared and able to respond quickly to consumer requests for the personal information that a company may possess about the consumer. Under CCPA, consumer rights include:
- The right to know about the PI that a business collects about them, how it is used and shared;
- The right to delete PI collected from the consumer;
- The right to opt-out of the sale of their PI;
- The right to non-discrimination for exercising their CCPA-rights; and
- The right to correct inaccuracies (introduced as part of CPRA).
4. Increased emphasis on data management
All of these evolving laws point to an increased emphasis on data management – managing data across its lifecycle – including minimization and deletion. You cannot just collect data and keep it for as long as you like. This is a component of the EU General Data Protection Regulation, CPRA, Virginia’s Consumer Data Protection Act, and the Colorado Privacy Act.
5. Disruption from emerging technologies
Lastly, we already see disruption from emerging technologies, such as artificial intelligence (AI), Machine Learning (ML), facial recognition, and use of biometric data. We already see new privacy issues, particularly in light of the evolving definition of what constitutes PI and the consumer’s expectation of privacy; and the potential for new privacy concerns with potentially new uses of consumer data via new technologies.
These trends have the potential to be very impactful on how and where a company does business.