In the new digital economy, it often seems like every day brings another tale of some horrific data breach.
Additionally, revelations like the ones involving Cambridge Analytica, the British company that mined the Facebook data of tens of millions of people in an attempt to affect elections worldwide, have left people more mindful of data privacy.
Governments have responded. Data privacy laws abound and more are in process. In such a fluid legal environment, how can a business keep up?
“Legal departments face increasingly complex tasks in staying compliant while minimizing regulatory risk related to data privacy in virtually all areas of their work,” says Trista Engel, Paragon Legal’s Chief Executive Officer. “We ensure our privacy lawyers are well-versed in understanding and mitigating the risks in this critical and ever-evolving field.”
The event featured experts from the World Bank, Airbnb, and Visa, among others, who discussed the latest issues companies are facing involving data privacy — as well as how certain best practices can also advance a company’s broader business goals.
Here, we present some actionable takeaways for in-house counsel along with a summary of the current regulatory landscape.
Making Privacy a Core Value
Rita Heimes, General Counsel and Chief Privacy Officer at the International Association of Privacy Professionals (IAPP), recommends that companies build a culture of privacy beyond the risk management technique of compliance with a given law.
Speaking at the event, Heimes said such a culture goes far beyond the avoidance of litigation. People would rather work for “an organization that is thoughtful and careful and has a good soul,” she said.
“Those people are loyal to you and they stick with you for longer because they enjoy where they work,” Heimes continued. “Privacy is one of many components, along with diversity and inclusion. Your employees will notice that you take these things seriously and they’ll respect you for it. They’ll be proud of where they work.”
So, how does a company build a culture of privacy?
First, create a detailed policy, thought-out, tested, and devised by professionals. Heimes recommends that part of this policy be periodic data housecleaning.
“If you don’t have people’s personal data, then it can’t be misused,” she said. “A culture of privacy reduces risks all over.”
Second, dedicate personnel to implement the policy. While a chief privacy officer with a team is ideal, experts recognize this may be beyond the reach of some businesses.
One option companies have is to partner with an alternative legal service provider like Paragon, which maintains teams of privacy-focused professionals to support companies that lack these types of expertise in-house.
Third, thoroughly follow up — particularly with all types of vendors and business partners — to make sure the policy is working as intended. Third-party data protection presents numerous challenges, and companies must remain vigilant to ensure their security needs are being met.
Complying With the GDPR
This attentiveness is important because of ever-shifting regulations. In 2018, the European Union kicked privacy law to a new level when it implemented the General Data Privacy Regulation (GDPR).
The law fosters transparency regarding data collection, mandates that sites cannot collect data unless a user affirmatively opts in to the process, and governs protocols in case of a data breach.
Many companies, no matter where they’re domiciled given our global economy, saw this robust law and thought it best to comply.
They said to themselves, “Europe has come up with a comprehensive consumer privacy law that sets a very high bar. If we build our systems to meet that, we’ll probably comply everywhere, right?” Heimes said. “Because it’s the strictest law, that’s the reactive and appropriate first step.”
She noted, however, that this strategy can be “pretty tough on your data team and you may not need to go that far.”
Post-GDPR, companies have been “fine-tuning their processes, seeking the best procedures for themselves, their vendors and their clients,” Heimes said. And of course, the GDPR is no longer the only robust privacy law.
Eyeing the US Landscape
As it often does, California led the way in the United States with its 2018 California Consumer Privacy Act (CCPA).
While it shares goals with the GDPR, there are a few differences. The CCPA added data about devices and households to the definition of personal information. The right to opt out is narrower than the GDPR’s because it covers only the sale of personal information, but it included broader consumer rights regarding access to data.
However, because data privacy laws never stand still for long, in late 2020, the Sunshine State passed the California Privacy Right Acts (CPRA) to build on the earlier law.
CPRA advocates felt the CCPA was too weak — too susceptible to legal machinations — and set out to fix it. Significantly, they passed the new law through a ballot referendum, demonstrating that the general public is aware of the problem and wants strong laws.
The CPRA establishes an agency, to be called the California Privacy Protection Agency, charged with enforcing the act and promoting awareness of privacy risks, according to materials posted by the NCSA. The agency will get up and running this year, although other provisions of the law don’t take effect until 2023.
The new law also created a category called “sensitive personal information” and includes specific compliance requirements for this category. It expands the opt-in requirement to include the sale and sharing of a user’s personal data, which brings it in line with the GDPR.
On March 2, Virginia became the second state to pass a robust data privacy law.
The Consumer Data Protection Act, which becomes effective in 2023, is similar to the CCPA in that it gives consumers more control over their personal data.
As noted in Corporate Counsel, the Virginia law also contains minor differences that will increase compliance burdens for companies.
Perhaps more important than state-level activity, federal lawmakers have been working to pass legislation as well.
The latest iteration in federal law is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act), a conglomeration of three previous bills, according to a September 2020 article from the IAPP.
If the bill were to become law, it would require companies to obtain affirmative express consent before gathering individuals’ sensitive data and would require privacy policies to be published and transparent.
The bill calls for robust data security practices, and would prohibit the denial of goods or services to individuals who exercise their privacy rights. Users would be guaranteed access to their data and companies would have to designate data security officers and conduct annual assessments, among other things.
The SAFE DATA Act would also require users to be notified if an “opaque algorithm,” uses their personal data to select the content they see, and would require an “input-transparent algorithm” to be on offer.
The U.S. Congress is still at odds over some aspects of the bill. According to the IAPP article, “the two key dividing lines are whether federal privacy legislation will include a private right of action and [whether it will] preempt state laws that offer a higher standard of privacy protections,” such as the CPRA.
“California was a big wake-up call that U.S. states are one by one going to begin adopting standards,” Heimes said. “Now that we have party alignment, more or less, across both houses and in the White House, the chances are better than they’ve ever been that there will be federal privacy legislation.”