The last time we checked in on Exterro's Data Privacy Alert Library, we reviewed several persistent trends in the privacy landscape:

• The US federal government moves in fits and starts toward a comprehensive privacy law without quite crossing the finish line.
• US states, meanwhile, continue to enact their own comprehensive privacy frameworks.
• In Europe, a more mature approach normalizes fines and seeks to resolve past conflicts regarding cross-border data flows.

This time, we are reviewing recent updates through the lens of scale—ordered by the volume of people impacted—to illustrate the massive operational footprint of modern privacy regulations.

California’s New Prescriptive Cybersecurity Requirements

California has shifted its focus toward operationalizing its existing privacy framework. The California Privacy Protection Agency (CPPA) released draft regulations governing risk assessments and cybersecurity audits, imposing specific, proactive requirements on businesses rather than simply penalizing them after a data breach occurs.

Michael Hellbush, Partner of Intellectual Property at Rutan, explains the downstream effect:

"The CPPA’s Draft Cybersecurity Audit Regulations will have a massive impact on businesses, services providers, and third parties—regardless of whether they will be directly subject to the cybersecurity audit requirements set forth in the draft. While the draft regulations propose various levels of stringency and scope for the audits, they signal that the CPPA is not interested in check-the-box cybersecurity compliance.

As drafted, businesses who meet the (low) threshold for having to complete a cybersecurity audit based on their “high risk” processing activities will have to undergo the audit for their entire data ecosystem, not just those assets and activities that are involved in the high-risk processing. Since the draft regulations would require service providers and contractors to assist businesses in completing their cybersecurity audits, we should expect businesses to push audit requirements down to vendors who process any personal information regardless of whether the service provider is itself subject to the audit requirements."

Download the Alert

60 Million Impacted: The MOVEit Hack Exposes Supply Chain Vulnerabilities

Health data is among the most sensitive classes of personal information. A critical vulnerability in the MOVEit file transfer system allowed malicious actors to compromise the health data of 60 million Americans. Delayed impact reports highlighted a common corporate hurdle: it frequently takes months for organizations to realize they have been breached.

Constantine Karbaliotis, Counsel at nNovation LLP, notes the critical lesson in third-party risk management:

"The impact of this breach is widespread due to the reliance on MOVEit by so many vendors to facilitate business-to-business file transfers. It highlights the risks associated with the supply chain – that a vulnerability anywhere down the supply chain can have devastating impact for organizations who may only be dimly aware of the use of software tools supporting the business relationship with a vendor.

What is an organization to do? The most important element is conducting appropriate reviews of vendors to make sure the controls they have are proportionate to the risk associated with the data they are handling. This is to both prevent putting data into untrustworthy hands, but also to show due diligence when something goes wrong. Some controls are technical, but some are by necessity contractual or administrative, such as requiring patch management policies. And because things do go wrong, it is essential to address response to breaches, such as notifications in the event of breach, indemnification, and insurance."

Download the Alert

330+ Million Impacted: The FTC Takes Aim at the “Surveillance Economy”

The Federal Trade Commission (FTC) has adopted an aggressive stance as a primary consumer privacy regulator in the US. In recent remarks, the Bureau of Consumer Protection Director declared that the FTC will use its full authority to enforce substantive protections for US citizens, directly challenging the long-term viability of predatory business models built on commercial surveillance.

Karbaliotis shares insight on what this means for compliance strategies:

"As the Director pointed out, companies can no longer rely on the fiction of notice and choice. These, however, are important elements in returning control of consumers’ data to them, and meaningful notice and choice are still important; that is to say, effective dashboards that allow individuals to not only make choices about what information they share, but really to operationalize increasing consumer rights over access, correction, and deletion. This also requires that notice not be written in a fashion that requires a law degree to interpret, but clearly and in plain language to allow understanding of what processing activities are being undertaken.

To the heart of the FTC actions to reduce unlawful commercial surveillance, one of the most important areas most companies can address is to actually understand the information they collect and use; often the left hand is collecting (and commercializing) data the right hand is unaware of, and likely has not been able to evaluate properly in risk assessments and ethical assessments.

Legislation will ultimately become a reality. If organizations operate internationally, particularly under GDPR, they are going to be held to a higher standard sooner or later. It is important to note that the proposed American Data Privacy and Protection Act (ADPPA) speaks in terms of making companies fiduciaries of personal information. To get ready for a new, more respectful world of privacy, organizations need to start with understanding their collection of personal and, most importantly, their sharing of data, particularly with aggregators, and make better, more thoughtful decisions as the stewards of consumers’ information."

Download the Alert

1.4+ Billion Impacted: India’s Swift Transition to the DPDPA Framework

In terms of pure scale, all other global privacy updates are eclipsed by the Digital Personal Data Protection Act (DPDPA), which impacts more than 1.4 billion citizens in India. Following years of intense debate, the Indian Parliament finalized the landmark legislation, and the government has signaled tight enforcement timelines.

Rahul Sharma, Founder of The Perspective and Grade Ace, issues a wake-up call for slow-moving enterprises:

"The DPDPA 2023 got enacted after more than a decade of effort to adopt a comprehensive data protection regime for India. The bill covers substantive requirement of a horizontal framework with specific rules and timelines for enforcement waiting to be notified that will reduce uncertainty.

The MeitY Minister has indicated that the sunshine period won't be as long as the 24 months organizations got for the GDPR. For certain provisions, the government may not grant more than six months to demonstrate compliance—a wake-up call for the organizations that haven't embarked on their data protection governance journey yet. Privacy compliance is on the board’s agenda now. Gap assessments, process and legal consulting, technology integration and optimization, and audits will all help organizations develop and mature their practices to become and exhibit compliance with DPDPA."

Download the Alert

For deeper expert analysis of evolving regulations, browse our complete Data Privacy Alert Library.

‍