What to Expect from Privacy in 2022?
Wish you a Happy International Privacy Day!
Like the past few years, 2022 will continue to see individuals, corporations and regulators placing significant focus on Privacy. The Privacy space will also continue to evolve rapidly and Privacy Professionals should be preparing to embrace significant changes in the field. 2021 saw new legislation like Virginia's Consumer Data Protection Act (CDPA), China Personal Information Protection Law (PIPL) and Colorado Privacy Act (CPA) take effect and more regulations are coming down the pike. Companies need to be deliberate on what data is collected, how data is used and have clear plans for the disposition of data when it is not needed.
Here are four key areas privacy professionals will need to pay close attention to in 2022:
1. Data Subject Rights
Data subject rights are rights granted to individuals to provide control over their personal data. Introduced first in the General Data Protection Regulation (GDPR), these can cover a range of rights, including rights to access, deletion, correction, opt-out and the right to be forgotten. Subsequent legislation have continued to expand on the breadth of these rights. The California Privacy Rights Act (CPRA) provides new rights around sharing of sensitive personal information and also expands the obligations of companies collecting or sharing sensitive personal information. The CPRA will go into effect in 2023 but will apply to personal data collected on or after January 1, 2022.
Businesses will have to develop new processes or modify their existing processes to ensure compliance with these regulations. This can seem daunting especially given the privacy fatigue within companies. However, the right tools and strategies can make this process easier. Effective data management with full understanding and control over your data is critical to be able to truly honor data subject requests. Sufficiently granular control to locate and act on the data of any specific individual will also be needed. Laying the foundation to understand and manage the entire data landscape, including data with third parties, will make it easier to honor these rights. 2. Disclosures and Consent
Disclosures and consent allow individuals to have a better understanding and control over their personal data. Disclosure should be explicit, unambiguous and clear. Informed consent without disclosure is not possible.
Consent can be to opt-in before collection (e.g., GDPR) or opt-out after collection (e.g., CCPA). Some laws also require businesses to obtain consent before processing individual’s sensitive data (e.g., Colorado’s CPA or Virginia’s CDPA).
Consumers are increasingly concerned about what data is collected, sold, and shared with third parties. Privacy is more a necessity than a choice for businesses. Companies will need to focus on providing better disclosure about their data practices upfront and obtaining consent. Companies will also need to be cautious about what data they require from their consumers and how it is utilized. If done wrong, this has the potential to cause significant reputational damage. Maintaining consumer trust and brand reputation is as important as ensuring regulatory compliance.
3. Ad Tech
Major changes are looming in ad tech that will require marketers to look for alternatives and adopt new approaches. Major tech firms including Google, Apple and Microsoft have taken a pro-privacy approach and leading to a shift in the ad-tech landscape. For example, Google is planning to phase out third-party cookies by 2023. Google has just introduced the Topics API and several companies including Microsoft and LiveRamp are working on their own substitutes. It is still too early to determine which system will gain prominence overall. Organizations must be prepared for changes in how they understand customer preferences and build customer profiles. Whether companies shift towards first-party data sources or adopt some of the new and emerging approaches, it is important to maintain a focus on Privacy.
4. Biometric Data
Businesses need to pay special attention to the growing use of biometric information and its impact on Privacy. Illinois’ Biometric Information Privacy Act (BIPA), enacted in 2008, is the most comprehensive biometric law in the US. The BIPA regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.
Like with any other sensitive personal information, businesses should focus on policies and processes that minimize the collection and retention of biometric data. Proper consent should be obtained before collection and processing data and ensure data is stored with proper security controls. For example, California obliges businesses to notify impacted individuals and law enforcement in case the user biometric data is compromised by a security breach. Similarly, Massachusetts considers biometric information as a “special category” of personal information requiring extra protection under state privacy laws.
Companies should be equally cautious while collecting biometric information from their employees as well. Biometric identifiers like fingerprint and facial recognition are getting more widely used by employers.