By Tim Rollins
In the world of privacy, things can move fast. US states and national governments pass new laws, and agencies translate the intents of the legislature into regulations. Where regulations are already in place, data protection authorities enforce the provisions of regulations on violators, ideally with the goal of changing organizations' behavior. But enforcement priorities change or enforcement itself becomes more rigorous--a trend we saw across jurisdictions in 2022. And of course data breaches, ransomware attacks, and other cybersecurity incidents all make news as well.
That's why Exterro publishes a bi-weekly series of Data Privacy Alerts, which provide easily digestible updates and expert advice on national and international legislation, regulations, enforcement actions, and data breaches. In a realm as rapidly evolving as privacy regulations, these updates give professionals the information they need to ensure their organizations prepare for and remain compliant with the expectations of both regulators and increasingly aware consumers.
In a recent whitepaper, we’ve selected the most important and most popular data privacy alerts from 2022, covering topics from the potential US national privacy legislation to key enforcement actions of CCPA and GDPR. Today, in this blog article, we'll call out three big takeawys you can learn from them. Download the whitepaper by clicking on the banner below, or scroll on to check them out now.
Will the US Get a Federal Privacy Law?
One of the biggest challenges to privacy compliance is the patchwork of laws—or lack thereof—across the United States. In 2022, the American Data Privacy and Protection Act (ADPPA) has made progress in Congress, leading to renewed hope that a federal law will be passed. While there are still many hurdles to be cleared, it has earned bipartisan support in both the House and the Senate. If passed, it would transform the privacy landscape of the US. The House Committee on Energy and Commerce voted overwhelmingly to advance the bill to a vote in the full House, the first time a comprehensive privacy bill has reached the floor of either the House or Senate. The main obstacle the law faces is the fact that it would preempt state laws, which currently exist in five states (California, Colorado, Connecticut, Utah, and Virginia).
Expert Analysis from Constantine Karbaliotis, CIPP/C/US/E, CIPT, CIPM, FIP, Counsel, nNovation, LLP
It is an open question whether the ADPPA will be passed, but it has a surprising degree of bipartisan support. There is considerable discussion over the proposed pre-emption of state laws such as California’s CCPA/CPRA, and whether the ADPPA is in fact providing better – or worse – privacy protections. The value of a federal law lies, however, in preemption, by simplifying organizations’ compliance with multiple state laws. There are a number of exceptions to this preemption, such as with data breach notification, so unfortunately ADPPA will not eliminate all complexity in the US.
If passed, it will represent a fundamental shift in privacy in the US. ADPPA will cover all residents of the US. It will apply to sectors which have been ignored by sectoral legislation, such as GLBA or HIPPA. While criticized as being less protective than CPRA, in some ways it is more comprehensive, as it will apply to all organizations, with varying responsibilities based on size. One key change is that affirmative express consent is a requirement; there must be opt-in, rather than opt-out, the previous model in the US. Consent must be based on clear and unambiguous notice, freely given, and informed.
California Is Raising the Bar for Consent
On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora in response to allegations that it violated key provisions of the CCPA and failed to address them within the 30 days allowed by the law.While the $1.2 million settlementat question is far from a large fine in the realm of privacy regulation, it does mark the first significant enforcement action under the California Consumer Privacy Act (CCPA). While technically a settlement rather than a fine, it’s a warning shot to California companies that they will be held accountable for violations of the law. Two key elements working against Sephora were its failure to disclose selling personal information by allowing partners to track users of Sephora's website and failure to treat the Global Privacy Control as a valid request to opt out of data sales.
Expert Analysis from Amalia Barthel, CIPM, CIPT
The California AG is taking a page from the CNIL book regarding cookies and tracking and signaling that it expects organizations to abide by GDPR-level regulations around the sale of PII. It is difficult to understand how Sephora was able to comply with GDPR while tracking visitors to its websites in the US and failing to process user requests to opt-out via Global Privacy Control (GPC).
Organizations with operations in both the US and the EU need to harmonize their privacy program and implement similar controls in both regions. Maintaining technologies to support different operations in different jurisdictions is very costly—and very risky. Implementing a single set of policies using the same approach to risk tolerance and the same technology, with privacy by design embedded, is not as costly by comparison. Many multinationals are very successful with their implementation of privacy compliance programs that align well with the applicable legislation in multiple jurisdictions.
Retailers and online e-commerce businesses must take note that CPRA requires transparency of practices and that consumer preferences be recorded and respected. This is done through online disclosures explaining whether there is an intention to sell PII; the provision of mechanisms to opt-out (including through the GPC); and ensuring third parties also conform with these controls.
CPRA Is Here... and DSARs Are Too.
In 2018, California became the first state in the nation to sign into law a comprehensive consumer data privacy law, the CCPA. The CCPA, which took effect on January 1, 2020, provides most California residents with broad rights over how their personal information is collected, used, and shared by covered businesses and their service providers. Employees, job applicants, and contractors were excluded from 90% of the law’s protections... but that exemption expired on December 31, 2022. Now employees, job applicants, and contractors will be entitled to the full suite of CPRA rights that other California residents. These rights include the right to access, deletion, to opt-out of a “sale” or “sharing” of personal information, the right to limit the processing of sensitive personal information, and the right to correct their personal information. These new rights, which will represent the first of their kind for employees, job applicants, and contractors in the US, will usher in a significant new operational burden to organizations and their HR departments, which will need to stand up internal facing privacy programs, policies, and standards.
Expert Analysis by Peter Stockburger, Partner, Data Privacy and Security, Dentons
Organizations should begin preparing now in order to meet the December 31, 2022 deadline for the expiration of the employee exemption.
- Start Mapping Your Data Now. To prepare for the coming CPRA storm, it’s important to have visibility into what type of data is being collected about employees, job applicants, and contractors, determine how that information is being used, and whether information can be streamlined. From this inventory and mapping process, organizations can start to build out their compliance programs and policies.
- Discuss with HR Now. It’s important to start the conversation now with the HR department to get them ready for the coming storm of compliance, training, and early communications with their employees, applicants, and contractors.
- Don’t Sleep on Security. Security will remain a vulnerability under the CPRA. When looking at the data practices for employees, job applicants, and contractors, it’s also important to review how that information will be secure, and to shore up security vulnerabilities before 2023 to mitigate the risk of a class action suit or regulatory investigation.
Of course much more happened in the course of 2022 in the world of privacy, but these are three key takeaways you can learn from. Watch for the Exterro Data Privacy Alert Library, arriving soon, to learn more key lessons!