By: Baan Alsinawi, Managing Director at CISO Global and the founder of TalaTek
“The year 2023 will go down in history as marking the beginning of a profound shift in the philosophy underlying data privacy laws in the United States.” – Frederic. D Bellamy, Reuters
Historically, the European Union has led the charge in data privacy, a role deeply rooted in the collective European experience of the Holocaust, when Nazis systematically collected personal data from citizens and misused it to commit horrific acts against humanity. Beginning with the passage of the Universal Declaration of Human Rights in 1948, United Nations member states took the first step on the journey to protect individuals’ right to own and protect their own personal information as a human right. In the years since, new legal measures have become a matter of necessity, as the way people store, collect, and process data has changed with technological advances, capping off with the EU’s GDPR (General Data Protection Regulation, 2018). GDPR defines roles and responsibilities for any organization operating in the EU to collect personal data as well as which datasets can be defined as “sensitive data,” such as those related to one’s religious beliefs, sexual orientation, health information, and more.
Many in the U.S. were quite vocal in their opposition to the GDPR’s reach, namely because it was written with protecting the individual’s privacy in mind — with a clear impact on profitability for businesses that rely on selling personal information for financial gain. In fact, most of these business models are based entirely on collecting and using the individual’s data for profit, be it Facebook, Twitter, or Google! Let’s face it, personal data is big business. Meta has proven this point, and marketing tactics that allow businesses to track people in order to promote their services or goods illustrate how online search data, location, or demographics can be very lucrative business. Try browsing for a product one night before bedtime, only to be inundated with ads about similar products every time you access your browser from that day on! Eyeballs is the business model, and marketers are will to pay big bucks for getting your eyeballs (personal data) on as many products as possible.
So when you consider concepts such as explicit consent and data protection, both outlined in the GDPR, that organizations must abide by, you can also see where they would instinctively push back to avoid having to make additional corporate expenditures such policy changes would involve. That’s why the default settings on all apps is ”opt in” to harvesting your data, forcing you to actively “opt out” of such data collection — if you are savvy enough to know where exactly in the app you go to make that change. Then every time there is an app update, it defaults back, and you must set it again!
GDPR, however, requires businesses to make fundamental changes in how they configure their websites to make it clear to site users which data is being collected and exactly why and then to create a way for users to explicitly opt in to this collection (rather than the opt-out approach). All those consent forms have to be collected, stored, and protected somewhere, not to mention the requirement to abide by individual user privacy preferences. This would be both a significant lift and a decrease in financial gain opportunities.
But things are changing in the United States. Consumers are increasingly voicing their wishes to own, control, and prevent collection of their personal data as a human right. These voices are still far less powerful than those of business leaders, with less clout among state and federal decision makers. However, these rumblings are gaining enough momentum that legislators have started to weigh the value of corporate preferences against the wishes of their constituents. Consumers want protections, and they are tired of having their data collected and used without their permission or knowledge.
Looking back over the last several years, it’s easy to trace this emerging trend. In 2019, a study from the Pew Research Center found that a majority of Americans felt they had a lack of control over what personal data companies and the government collected. In fact, 79 percent of respondents said they were concerned about the way companies were using their data. Other statistics also bore out the public’s increasing overall distrust in how companies and the government stored their data.
In keeping with the shift, legislation designed to bring GDPR-like principles to the U.S. is emerging on a state-by-state basis, with California leading the way by amending the CCPA (California Consumer Privacy Act) as of January 1, 2023, to have more prosecutorial “teeth” for violators through the CPRA (California Privacy Rights Act). Additionally, five more states are joining the movement to protect residents with state-level legislation of their own.
Consider, of course, how inefficient that approach is, and how costly it is for businesses, as most have customers across the country instead of exclusively within one state. Businesses operating in the U.S. have to study each state’s standards and become familiar with different reporting schedules, fines, and regulatory needs – in addition to complying with standards in any other country or region where they operate. Compare that with one national standard that is applied to every state, with one form, one standard, and one website requirement. Makes more business sense – to some, of course; to others, not so much!
So what does this mean for your organization?
A lot of it depends on your industry, as you already may be required to follow privacy-related compliance standards —those in the health care sector are required to follow Health Insurance Portability and Accountability Act (HIPAA) data privacy rules designed to protect personally identifiable health information. Those regulated by the Securities and Exchange Commission must meet Sarbanes-Oxley Act regulations. The Payment Card Industry Data Security Standard is also designed to protect personal information during these types of data transactions.
In the meantime, you can stay one step ahead through proactive planning with these steps:
- Conduct audits of personnel access to data.
- Conduct third-party security audits.
- Only collect the minimum of necessary customer data.
- Destroy unneeded customer data.
- Create a plan to store and secure collected customer data.
- Create/implement a security program, including frameworks based on a risk assessment.
- Enlist third parties to enable your journey as needed.
- Make cybersecurity a part of company culture; educate/train your employees on cyber and privacy laws
If your organization is based in a state that enacts privacy regulations, you need to understand your business obligations under the evolving data privacy regulations and how they may impact your business practices and responsibilities to your customers. You may also be required to study the privacy laws of each state you operate in. How to reconcile all that when you operate in the Cloud? That’s a topic for another blog!
In this landscape, protecting consumer’s data and having compliance processes in place is going to require awareness by knowledgeable legal and IT teams working together to identify requirements, address how to safeguard data subject to these laws and regulations, and have contingency plans for when things don’t go as planned.
If you have questions or needs relating to your organization’s regulatory compliance, we encourage you to Request a Consulation and speak with one of our experts.