The General Data Protection Regulation (GDPR) may have pushed data privacy into the spotlight in 2017 and 2018, but in 2019, privacy became a global superstar. Privacy has become a major debate in the U.S. as companies rushed to comply with the California Consumer Protection Act (CCPA), and more states introduce their own data privacy-focused laws. Privacy has also been significant concern for those anticipating Brexit in the U.K. Significant penalties for GDPR compliance violations were issued to some of the biggest tech companies in the world, prompting many organizations to boost their compliance efforts. New data privacy frameworks were introduced from widely respected industry groups like NIST and ISO.
So, what can we expect for the world of privacy in 2020? More change, but also more standardization. As state and national governments recognize the need for data protection, more regulations will be issued, but in order to keep up, organizations will seek out ways to unify these various laws and standards. Over the past year, our data privacy team has helped global organizations build cutting-edge, compliant privacy programs. Through these opportunities, we have identified nine key trends we believe will define the world of privacy in 2020.
In 2019, California established itself as the early leader in domestic privacy legislation. And a handful of other states, such as Maine and Nevada, passed smaller, but significant, laws. Data privacy legislation was also a major focus for state governments in New York, Massachusetts, Texas, and Washington in 2019.
Massachusetts’ privacy bill, modeled closely after the CCPA, would have a significant impact on U.S. businesses, if passed. It is still being discussed by the state’s Joint Committee on Consumer Protection and Professional Licensure, but a decision on whether or not to pass the law is required in February 2020. If enacted, it would likely go into effect in 2023.
Highly anticipated data privacy bills from Washington, Texas, and New York all failed to pass this year, after heated debates. But this doesn’t mean these conversations are over. Proponents of the law in Washington are already planning to discuss the legislation in some form in 2020, and Texas has formed a 15-member privacy council, dedicated to evaluating data privacy issues in Texas and across the country, to help create potential legislation in 2021.
California set off a chain reaction when it passed the CCPA in 2018. While they may not be as stringent as the CCPA, other states in the U.S. will continue to propose and pass laws and amendments that protect the personal information of their residents until a federal law is in place.
State privacy laws create new and significant business challenges, especially for organizations with widespread operations. To avoid a complicated tapestry of data privacy laws – which would drive higher compliance costs and could slow business growth – we expect increased momentum toward a federal privacy law in 2020. Many businesses, privacy leaders, consumers, and policymakers are already aligned and working toward its creation.
While a few different federal privacy bills have been discussed, two stand out from the pack: the Consumer Online Privacy Rights Act (COPRA), proposed by Democratic Senator Maria Cantwell of Washington, and the United States Consumer Data Privacy Act (CDPA), drafted by Roger Wicker, a Republican Senator from Mississippi. Both proposals were reviewed by the U.S. Senate in a committee hearing on December 4, 2019.
The two proposals share a number of very similar requirements, including “affirmative express consent,” more transparent privacy policies, increased data security measures, designated privacy officers, and mandatory data privacy risk assessments. The major differences between the two are 1) COPRA calls for the establishment of a separate agency under the FTC to enforce the law, while the CDPA leaves enforcement to the FTC, and 2) COPRA includes a private right of action, which would allow private citizens to bring their own lawsuits against an organization that violates compliance.
The marked resemblance between the two laws seems to indicate a building consensus among legislators (with only a few key sticking points remaining). Given the current pace of legislative progress, we expect these proposals to continue receiving considerable discussion in Congress, but it remains very unlikely that either will be passed this year. However, monitoring these laws and the similarities between them may help with future compliance efforts as you build your 2020 privacy strategy.
As these federal data protection bills are discussed and the CCPA goes into effect, executives and boards of directors will need to increase their awareness and oversight of data privacy efforts. It’s up to privacy and compliance leaders to get them started.
The easiest way to communicate the importance of data privacy to executives? Speak in numbers. The GDPR set a high bar for penalties, with violations costing organizations up to 4% of global revenue. The CCPA allows the state Attorney General to fine corporations up to $7,500 per violation, and COPRA, if passed, would fine companies between $100 and $1,000 per violation per day. Aside from penalties, the average cost of a compliance program is about $5 million, but the average cost of non-compliance is at $15 million.
CCPA enforcement will begin in July, and it should be expected that penalties will be doled out shortly thereafter. Your board and executives will be hearing a lot more about the importance of data protection in 2020, and you’ll need to be prepared to demonstrate the effectiveness of your program and where improvements need to be made. If you’re looking for more tips on talking to your board about privacy compliance, we created a list of strategies to improve board conversations and to effectively communicate the need for investments in privacy in 2020.
Forty-three percent (43%) of organizations are working to comply with two to five data privacy laws, a recent IAPP study found. The struggle to comply with increasingly stringent privacy laws across geographies and industries has put a strain on many data privacy and compliance teams. In addition, the cost of compliance has increased significantly, and teams are struggling to find the staff they need to support mammoth compliance programs aligned with regulations like the GDPR, CCPA, and HIPAA.
As a result, more and more companies are realizing that a single strategy, built on strong privacy principles, is the only effective way to move forward. The same IAPP study found that 56% of respondents are working toward “a single, global data protection/privacy strategy,” implementing a global strategy that is tailored to individual jurisdictional requirements when needed.
Choosing a unified, enterprise-wide data privacy strategy requires significant research and resources up front, but once implemented, it can significantly reduce future efforts. Integrating your privacy strategy with your organization’s existing compliance program aligns your privacy efforts with other risk management initiatives, including cybersecurity, and significantly reduces the work required when a new privacy law is issued. In order to build an effective data privacy program, those leading it must spend time researching applicable regulations, integrating “privacy-by-design” principles, and educating data stakeholders across the company.
Implementing this strategy is challenging, but industry organizations like NIST and ISO have recently drafted data privacy frameworks that incorporate data privacy best practices and common regulatory requirements to help organizations build smart, sustainable data privacy programs.
This is more of an on-going trend than a new trend, but in 2020, expect to see your privacy and security functions working together even more. Data privacy regulations have now become a significant driving factor in increased cybersecurity measures, legally requiring companies to ensure data security and adding to the potential financial fallout of a breach. To this end, CISOs and their security teams need to become more educated on new data privacy laws and their changing requirements.
The struggle is many data privacy regulations are vague when it comes to security requirements. The CCPA assigns companies a “duty to implement and maintain reasonable security procedures and practices,” and the GDPR requires the implementation of “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” However, neither law clearly defines “reasonable” or “appropriate,” making organizations responsible for deciding what measures need to be taken to reduce data risk.
To make these decisions, privacy and security teams must work together to identify data privacy risks and to design controls that effectively address these risks. As mentioned above, ISO and NIST have drafted data privacy frameworks that align with their widely used security frameworks, providing privacy and security leaders with a solid foundation on which to build their integrated programs.
Third-party breaches and incidents have been a key driver in the introduction of data privacy laws like the CCPA. The GDPR and CCPA now require companies to be much more transparent about what data they share with third-parties and how third parties use this data. In addition, third parties are now required to clearly demonstrate that they have security and data privacy measures in place to protect the data they receive.
Ultimately though, in the event of a third-party breach, organizations are held responsible by enforcement agencies for performing due diligence on their vendors. Therefore, many organizations are regularly assessing their third-parties’ security measures, establishing risk profiles, and determining what data (if any) should be shared with them. The IAPP found that the most common type of risk assessment was third-party risk assessments (selected by 78% of U.S. respondents), and the popularity of these assessments is likely to continue well into 2020 and beyond.
With an increased focus on privacy compliance, the need for knowledgeable, experienced data privacy professionals has increased. Job searches for titles like “chief privacy officer” and “data protection officer” have increased by 77%, but there aren’t enough privacy experts to go around. The IAPP, a leading privacy certification organization, reported that they had their biggest year for certifications in 2018, yet there are only 20,000 people globally who have passed their exams. While legal teams and compliance experts have extensive knowledge of these regulations, organizations lack privacy professionals who have the skills and experience to actually operationalize compliance.
This shortage of data privacy expertise will likely be a serious challenge in 2020. While talent shortages are an issue in new technical industries like this one, there are steps companies can take to try to bridge these gaps. The most obvious solution is training. Data privacy organizations like the IAPP provide training courses and certification opportunities, which may be appropriate for members of your security, IT, compliance, or legal teams. Other opportunities exist to outsource portions of your data privacy program, utilize consulting firms to fill hard-to-hire positions, and introduce software to automate repetitive tasks (like consumer rights requests).
Data privacy awareness training is a staple of most organizations, an annual routine just like cyber awareness training. But a single, basic training for the whole organization is not enough for many organizations today. Privacy and security teams are no longer solely responsible for data privacy. Now HR, customer service, marketing, IT, and sales teams also share in this responsibility, as their departments process high volumes of personal information. Often, these teams have never been involved in compliance activities and need hands-on, practical training to equip them to take on these new responsibilities. In addition, board members and executives have an increased responsibility to protect personal information.
Depending on how they interact with the data your organization processes, these different teams and individuals need customized privacy training to help them better understand the policies in place to safeguard this data and to aid them in implementing and maintaining data privacy processes. Privacy and compliance teams need to take the time to tailor these trainings and to meet with these teams regularly to understand the privacy challenges they’re facing and how to address them. In 2020, we expect the market for privacy awareness training to increase, with training providers launching new, tailored offerings and companies increasing their annual investment in data privacy training.
More than 80% of consumers say that they have become increasingly concerned about how companies are using their personal information, and 75% say that they have become less likely to trust companies with their personal information over the past year. Data privacy is becoming a significant factor in the buying process for many consumers. With the number of high-profile data breaches that occurred over the past year and the increased focus on data privacy legislation, consumers are much more conscious of the importance of data protection.
Companies that invest in data privacy, especially around consumer rights programs, may be able to build consumer trust more easily than competitors that do not. Some consumers are more willing to share their personal information with an organization if the company can demonstrate that they have privacy safeguards in place. While many U.S. organizations are not in-scope for laws like the CCPA or GDPR or do not have to extend the rights to consumers or data subjects outside of California or the EU, demonstrating data security and data privacy measures and programs to customers can increase consumer trust. In an effort to show their support of privacy protections, Microsoft voluntarily extended the CCPA’s consumer rights to all of its U.S. customers and the GDPR’s data subject rights to customers across the globe. Apple ran a major advertising campaign throughout 2019 focused on their commitment to data privacy. During the 2019 World Series, Apple advertised its new iPhone by focusing not on the cameras, or the screen, or the processing speed – but on data privacy.
With leaders like Microsoft and Apple making privacy a core part of the feature set, others will surely follow. Until then, we expect privacy to become a key technology differentiator, with organizations that prioritize data protection gaining a significant competitive advantage.
Preparing for the new year can be exciting, but it can also be intimidating. The key is perspective. You can look at these trends and see a scary talent shortage on top of even more regulations and penalties. Or you can see a clearer path to building a sustainable privacy program, the opportunity for greater investments in data privacy, and improved customer relationships. Regulatory change in the data privacy space over the last few years has taught organizations a lot about the value of and need for data protection. 2020 can be the year businesses buckle down and really focus on securing customer, employee, and business data, making the world a safer place.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.