The basic concept of regulating how data is stored, protected, and processed is not unique to the past decade. From early inceptions such as Sweden’s Data Act of 1973 to regulations such as Europe’s Data Protection Directive of 1995 – a predecessor to the 2018 General Data Protection Regulation (GDPR) – data privacy has proven to long be a consideration for consumers and governing bodies. Moving forward to modern times, the demand for and implementation of data privacy legislation is rapidly spreading and evolving in an attempt to better conform to how the technologies and industries of today approach the collection, use, storage, and protection of our personal data.
While the exact future of data privacy legislation can only be speculated on, there are key trends and commonalities among recent privacy legislations such as Europe’s GDPR, California’s CCPA, and other related legislation such as Canada’s Digital Charter/PIPEDA that organizations should consider when building policies and practices that can better withstand future advancements to data privacy legislation. An overview of GDPR and CCPA is provided at the bottom of this article for reference.
Key Themes In Data Privacy Legislation
While each data privacy legislation is tailored to fit the needs of their respective contexts, there are key considerations that lawmakers have made in developing their privacy legislation, many of which overlap with other data privacy legislations.
At its core, the intent of new and recently revised data privacy laws are to update existing standards to reflect modern privacy needs. With the rapid rise of “big data” as an industry, privacy-conscious consumers and citizens are demanding greater personal agency over how their data and identities are being used.
Responsibility & Transparency
Recent privacy laws mandate an increase in responsibility and transparency around personal data use and storage. Companies that personally identifiable information (PII) are responsible for maintaining the security of that data so that only those that are privy to the data can access it. In a modern context, data protection responsibility includes cybersecurity measures to prevent data breaches from insider threats and malware (such as ransomware) from cybercriminals, among other considerations.
In addition to being prepared for the compliance of future legislation, organizations that go beyond the standards set in current legislation will benefit from the improvements in consumer trust that comes from making data responsibility and transparency a priority.
Data privacy legislation is typically designed to protect consumers by providing them with added or reinforced rights in the context of their personal data.
Data Privacy Legislation & Defining Personally Identifiable Information (PII)
While the exact definition of PII varies slightly from legislation-to-legislation, it is safe to assume that any information that could feasibly be linked to a given individual or household can and will fall under the definition of PII for future legislation. PII is also often distinguished as a variant of either “sensitive” or “non-sensitive”.
As organizations work to develop data privacy standards and infrastructure that is prepared for the future of data privacy legislation it is important to realize that “non-sensitive” does not mean “not important” as the data contained within the “non-sensitive” category is still consumer data that warrants careful thought and consideration for its protection and could still be linked to the consumer. As artificial intelligence becomes more sophisticated and wide-spread, seemingly unlinkable data may also become linkable depending on the related data available.
Examples of Sensitive PII include:
- Full name
- Social Security Number (SSN)
- Driver’s license
- Mailing address
- Credit card information
- Passport information
- Financial information
- Medical records
Examples of non-sensitive PII include:
- Date of birth (DOB)
- Place of birth
How to Prepare for the Future of Data Privacy
Shifting to First-Party Solutions
The responsibility of organizations to protect consumer data is currently present, and with considerations for the responsibility of third-party faults already in place under GDPR, it is safe to assume that future legislation will likely consider organizations at-fault for breaches and lackluster compliance of the third parties they use.
To better prepare for the future, organizations will need to prioritize the use and development of first-party solutions wherever possible. When a third party solution is to be implemented, the organization using the third-party must consider the third-party an extension of their own organization and be prepared to be at-fault should that third party fail to comply with data privacy standards.
Organizations that collect and use data should heavily err on the side of gaining explicit permission (opt-in) for the collection and use of consumer data, regardless of whether or not they are currently required to do so. In addition to the compliance potential, companies that use opt-in practices will benefit from a core group of consumers that want to be there rather than being overwhelmed with mass quantities of data from consumers that are not as willing to engage.
If an organization relies heavily on consumer data, this step is likely to be incredibly resource-intensive. During a data audit, an organization needs to determine exactly how they gather data, how it is stored, and who controls or has access to the data. As legislations similar to CCPA are developed organizations will also need to prepared to identify exactly who a given dataset belongs to, how to verify that a requester is who they say they are, and be prepared to answer Subject Rights Requests (SRR) in a timely manner.
With respect to actions similar to CCPA’s SRRs, organizations preparing for the future should strongly consider an automated method to process these requests. The burden of repeatedly analyzing data and verifying requesters becomes incredibly difficult to attend to at-scale without significant resources.
start getting rid of personal data they do not have a reasonable business use for. They also need to locate all data repositories that are undocumented – think DevOps, Shadow IT – as well as copies of personal data anywhere it reside
For many organizations in the “big data” industry, it has been common practice to simply hoard data as it arrives in the event that it may be useful for insights in the future. As data privacy regulations continue to develop, organizations that use data should consider practicing “data minimalism” - the practice of only processing and storing data that is immediately required for business operations, and deleting data once it has exceeded its immediate use.
As the prevalence of subject rights requests, external audits, and lawsuits increases, an organization that practices meticulous documentation of their processes, policies, and vendors is one that will be better prepared for the future of data privacy legislation. Organizations should heavily document their data inventory, conduct privacy assessments of themselves and the third parties they are involved with, and be prepared to readily answer specific demands regarding the data they use and store.
Existing Data Privacy Legislation
To get started on building a data privacy compliance strategy that is better prepared for future developments it helps to understand what is currently in the works. While not intended to be a definitive guide on existing legislation, an overview of recently established data privacy legislation will help serve as a framework for future high-level strategic planning.
- Date Adopted: January 1, 2020
- Date Enforced: The first of either six months after final regulations are published or July 1, 2020
- Precedent/Similar Legislation: The California Constitution, California Online Privacy Protection Act (CalOPPA)
- Enforcement: Enforced by the Attorney General’s Office, Option for lawsuits of $100-$750 for each event from individual consumers. Maximum penalty of $7,500 for intentional violations, $2,500 maximum fine for accidental violations.
- Who Is Impacted: The CCPA can potentially apply to any for-profit business or associated entity in California, whether or not they physically reside in California, so long as that business collects and controls the processing of a consumer’s personal information while also meeting ANY of the below criteria:
- Collects or sells the personal information of California residents
- Has a gross annual revenue in excess of twenty-five million dollars ($25,000,000)
- Annually buys, receives, sells, or shares the personal information of 50,000+ California consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ personal information
- Overview of Requirements:
- The right for California residents to request:
- The ability to access, delete, and opt-out of the sale of their personal information.
- Disclosure of the categories and specific pieces of personal information that a business collects about the consumer
- The categories of sources from which their information is collected
- Why their information was collected or sold
- The categories of any 3rd parties given access to their data
- Deletion of their personal data
- The ability for Californian’s to opt-out of personal data collection with no penalty
- “Opt-in” required for consumers under 16
- The right for California residents to request:
- Date Adopted: April 14, 2016
- Date Enforced: May 25, 2018
- Precedent/Similar Legislation: GDPR is an update to the Data Protection Directive of 1995
- Enforcement: Enforced by The Information Commissioner's Office, maximum fines up to the greater of 4% of worldwide annual revenue or €20 million.
- Who Is Impacted: Individuals and organizations that are deemed to be controllers or processors of the personal data of EU residents.
- Overview of Requirements:
- GDPR contains 99 articles, not all of which are mentioned here
- Rights for individuals to have easier access to their personal data stored within a data company
- Organizations are responsible to obtain consent for data collection
- Organizations are responsible for the safety of the data they collect, use, and store. A lack of reasonable data breach protection can constitute negligence under GDPR
- Organizations must report any breach within 72 hours of discovery
Other Related Data Privacy Legislation:
Data privacy and protection laws have been enacted globally in various forms. For further reading, the following links can provide further context:
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- The Philippines Data Privacy Act of 2012
- Australia’s mix of federal, state, and territory laws