No matter who you ask, they will have some opinion on data privacy. Whether it’s when we hear of a data breach at Equifax, or the unauthorized use of personal information on Facebook, the issues of data privacy and data protection are part of our daily lives.
While these issues aren’t the primary concern for most of us on a regular basis, they become significant when either of two things happens:
- Someone tries to use our individual data without our permission, such as knowing what products we use when we search online; or
- Someone hacks into a database that may and steal the personal information of thousands of people.
When either of these events occurs, it gets our attention. And, unfortunately, these events are happening with greater regularity and to more people.
With data privacy a growing concern, we wonder what to expect in 2020.
If we were to try to categorize all the data privacy trends under one heading, it would most likely be an attempt to better regulate how private information is used. This includes continued efforts by state and federal governments, as well as governments around the globe, to provide rules for greater protection and more rights for individuals concerning their personal data or information, and how it’s used by others.
States continue to introduce or pass new data protection laws
Consumers will continue to hear about how their data is used. Alexa and her relatives made many consumers uncomfortable with the collection and use of their private data. This type of new technology will compel more states to consider greater data privacy and protection legislation.
A major reason why there isn’t a comprehensive federal act to address privacy concerns is that there is too much ground between the two parties [states and the federal government] to come to a consensus and pass comprehensive legislation.
One of the key sticking points to federal legislation is whether an individual should have a private right to action to sue companies for data breaches and misuse of their personal information, or whether those injured in a data breach (or by the illegal use of information) are required to depend on the government to bring suit.
A second major dispute in any federal legislation is that of state law preemption (the doctrine that federal law is controlling over laws enacted by the state concerning the same subject ). However, this won’t be a concern if there’s no national privacy act that supersedes state legislation.
Because of the lack of cooperation and bipartisanship in Congress, individual states will be tasked with finding legislative or regulatory solutions to address their citizens’ privacy concerns.
When this happens, state laws will undoubtedly have similar but conflicting language in their privacy statutes. This will result in confusion for the customer and companies that legally use or hold individuals’ personal information.
In light of the fact that data is not a stationary or inanimate notion, consumers will have questions concerning their rights and the extent of protection under state laws, while businesses, especially those located in several states, will have difficulty determining how to comply with the various standards in each jurisdiction.
In 2018, California took the lead in passing domestic privacy legislation. The California act had several detractors and shortcomings in the interpretation of application and actions that must be taken in light of the new rules, and still faces challenges in 2020. Several other states, including Maine and Nevada, enacted less-comprehensive, but significant, data privacy legislation. In addition, the states of New York, Massachusetts, Texas and Washington considered data privacy acts last year.
California’s act, the California Consumer Privacy Act (CCPA), was used as the template for several other states. The CCPA went into effect in June 2018 and was amended last fall to take full effect on January 1, 2020.
The CCPA created new consumer rights concerning access to, deletion of and the sharing of personal information collected by businesses. The act also requires the state attorney general to adopt corresponding regulations with input from the public to further the CCPA’s objectives. The regulations promulgated under the act would establish procedures to enforce consumers’ new rights under the CCPA and provide businesses with guidance for how to comply.
Massachusetts’ privacy bill was modeled closely on the CCPA and would have a significant impact on businesses if passed. The Massachusetts bill contained a consumer data privacy bill with a broad private right of action. The proposed law, An Act Relative to Consumer Data Privacy (S.120), would have allowed a consumer to bring a lawsuit against any violating business or service provider, no matter what the actual losses.
However, last month, the Joint Committee on Consumer Protection and Professional Licensure voted to table the comprehensive consumer data privacy bill until a future legislative session.
The proposed Washington Privacy Act passed overwhelmingly in the state Senate but failed in the house. This was partially because of disagreements as to how the statute would be enforced and its facial recognition provisions. Nonetheless, the bill’s proponents said they would push the legislation again this year, and a new version of the act was proposed in late January.
Last spring, the Texas legislature amended the state’s breach notification law and created a new privacy council. House Bill 4390 was originally designed as a comprehensive consumer privacy bill known as the Texas Privacy Protection Act; however, the legislation was amended multiple times in the Texas House and Senate to water it down to just the two actions.
The update to the Texas Identity Theft Enforcement and Protection Act concerns only the breach notification requirements in the TITEPA. The amendments provide clarification by further defining the timeline to disclose a breach of system security and requiring disclosure of certain information to the Texas attorney general for breaches impacting at least 250 Texas residents.
Plus, the Texas Privacy Protection Advisory Council will study and evaluate laws in Texas, other states, and relevant foreign jurisdictions that govern the privacy and protection of information, and make recommendations to the state legislature on specific statutory changes regarding the privacy and protection of personal information.
Likewise, New York’s proposed data privacy legislation failed to garner requisite support last year and faced a substantial lobbying effort to stop the bill cold.
Despite these setbacks, this state legislative activity has continued to kindle an increased demand for a federal data privacy law.
Other data privacy trends
In considering trends beyond the main idea of increased statutory and regulatory protection of data, any new state privacy laws will result in new and significant business challenges, especially for organizations with multistate operations.
This trend will manifest itself in the difficulties companies will experience attempting to comply with increasingly tough privacy laws across geographies and industries. The result will mean increased pressure on data privacy and compliance efforts within companies. Another result of this trend will be the increased cost of compliance.
Another trend is that an increasing number of companies will come to the conclusion that a single privacy strategy is the only effective way to move into the future.
A similar trend is that we will see privacy and cybersecurity functions become more integrated. Experts say that this is really more of a continuing trend rather than a new one. Nonetheless, businesses can expect to see their privacy and security functions in closer coordination.
The impact of increased and more abundant data privacy regulations is that they are an even more significant driver in increased cybersecurity measures, as new regulations mandate that companies ensure their data is secure, and enforce greater diligence with the potential for penalties in the event of a breach.
One of the conclusions that can be drawn from this legislative activity, and one of the most significant trends in 2020 is that privacy will become a business differentiator. That means that the health and reputation of a business will now in large part factor in its ability to protect individual personal data and to guard against potential data hacks.
Consumers themselves support this notion, as more than 80% of those surveyed say that they have become increasingly aware of how businesses are using their personal information, and 75% admit that they have become less likely to trust companies with their personal information over the past year.
Data privacy is becoming a significant factor in the buying process for many consumers.
Given the number of high-profile data breaches that continue to make the news, as well as this increased push for data privacy legislation, businesses and consumers alike are much more concerned with protecting personal data.