Privacy Recap 2022: Top 10 Things to Look Out For
The year 2022 brought some significant developments to the world of data and privacy. We saw some major data breaches like T-Mobile, Toyota, Twitter, etc. as well as notable rulings like the ones involving Clearview AI for violating the GDPR and the UK GDPR, Sephora for noncompliance with the CCPA, Google for storing location data, and many more.
Before we step into 2023, it is important to look back and gather what needs to be done in the coming year. These tips can help us prepare for upcoming privacy regulations and ensure that we are on the right track to privacy.
1. CPRA
The much-awaited California Privacy Rights Act (CPRA) will take effect on January 1, 2023. The CPRA expands upon the existing California Consumer Privacy Act (CCPA) that went into effect in 2020. This new legislation will strengthen the privacy rights of California residents and place new requirements around the use of personal information (PI). It will also see the establishment of a new government agency called the California Privacy Protection Agency (CPPA) to “vigorously enforce” the CPRA and “ensure that businesses and consumers are well‐informed about their rights and obligations.”
While the CPRA works as an addendum to the CCPA, it adds new and expanded definitions around the sale and sharing of data and a new category of data called sensitive personal information (SPI). While the new regulation comes with its own nuances, understanding how it will affect your business must be the priority for every organization. If your business fall under the scope of the CPRA, here are some of the basic things that must be on your checklist:
Ensure that you have the required tools and resources to fulfil data subject requests (DSRs)
Review the sharing of data with third parties and if it falls under “sale” as defined under the CCPA
Ensure that consumers are provided with the option to limit the sale or sharing of their personal or sensitive personal information
2. VCDPA
The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021 and will take effect on January 1, 2023. The law is applicable for companies that do business in Virginia, or that produce products or services targeted to Virginia residents.
Here are some of the things to keep in mind if your business falls under the scope of the VCDPA:
Must be able to fulfil the right to access the data and delete the personal information of consumers
Must conduct data protection assessments related to processing of personal data for targeted advertising and sales purposes
Obtain prior consent from users if collecting or processing sensitive personal data
Maintain transparency about how you share and sell consumers’ personal data
3. Digital Markets Act (DMA) The DMA is an EU regulation that applies to online platforms that are gatekeepers i.e., the largest actors in the market, and imposes antitrust obligations on them. It went into force on November 1, 2022 with aim to promote competition and fairness among online platforms.
To ensure compliance with the DMA, you need to:
Determine whether your business falls under the definition of a gatekeeper and if not, prepare a defensible position explaining why your company is not considered a gatekeeper in the EU.
If your business falls under the definition of a gatekeeper, then review privacy notices and consent language to ensure explicit consent is obtained prior to processing data for targeted advertising or cross-use within the organization.
Implement effective consent and preference management controls to track end-user preferences and maintain an audit trail.
4. Digital Services Act The Digital Services Act (DSA) will regulate illegal content, ensure transparency, and tackle disinformation on the internet. It will ensure accountability across online platforms and online safety for the users.
The regulation will be directly applicable in all EU Member States and will apply to providers of digital “intermediary services” who provide recipients with access to goods, services and content.
If your business is affected by the DSA, these things should be a part of your preparation:
Have the necessary tools and resources to respond and take action when courts or authorities point out illegal content.
Have predefined notice-and-action mechanisms for reporting alleged illegal content and taking necessary action.
Establish a single point of contact for authorities and recipients that should be easily accessible.
Ensure your website is free of any dark patterns that prevent users from making a free and informed decision.
Monitor profiling-based online advertising that is based on sensitive data and targets minors.
Conduct regular assessments of systemic risks and regular independent compliance audits.
5. Health Data Personal health information (PHI) has been considered sensitive due to the nature of such data and the conclusions that can be drawn from it. The Health Insurance Portability and Accountability Act (HIPAA) established new standards for businesses dealing with PHI to protect it and prevent it from being stolen or used without patient permission. It only covers health plans, health care clearing houses, and health care providers and their business associates.
However, with the recent rise in the number of health data app companies and data brokers, states like California have implemented additional privacy protections through the Genetic Information Privacy Act and the Confidentiality of Medical Information Act to expand privacy obligations to more entities.
While HIPAA has remained as the standard for governing health data across the US, lawmakers are certainly considering introduction of new regulations outside of HIPAA. Some of the proposed federal bills containing health-relevant privacy protections are:
The Protecting Personal Health Data Act
The Protecting Personal Health Data Act
The Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act
If your business collects or stores PHI, it is important to be a step ahead when it comes to compliance. An effective privacy program will solve several problems arising from disorganized and accumulated data. If you’re wondering where to begin, these tips can provide some perspective on starting your compliance journey:
Ensure that you obtain the required consent from the users before collecting their data.
Establish the necessary controls for storing and processing sensitive data including encryption at record level, pseudonymisation or anonymisation while processing the data, disaster recovery, etc.
Set up mechanisms for managing data subject requests (DSRs) for access of data, deletion, etc.
Analyse what data is being shared with third parties and revise third-party contracts defining the roles of each party
Study the relevant regional regulations applicable to your business that may require additional measures.
6. Children’s Data
With easy accessibility to gadgets and the internet, the number of children using social media and other applications is increasing rapidly. In the US, the FTC-enforced Children's Online Privacy Protection Act (COPPA) covers children under 13. It requires operators of websites and online services to obtain parents' explicit consent before collecting the information of children under 13.
Recently, California lawmakers passed the California Age-Appropriate Design Code Act (Bill 2273) which aims to create a safer digital space for kids under 18. The bill would apply to social apps like Instagram, TikTok, and YouTube as well as any business offering “an online service, product, or feature likely to be accessed by children.”
The act will have a wider scope and higher protection standards compared to the Children’s Online Privacy Protection Act (COPPA), which applies when a business operates a website or online service directed to children, or such a business has actual knowledge that it is collecting or maintaining personal information from a child. Additionally, bill 2273 will provide privacy protections to all users under 18, unlike the COPPA, which applied only to children under age 13.
If your business serves children and deals with children’s data in any way, start by following this checklist:
Determine if your business collects personal information from minors
Have a privacy policy that complies with COPPA and any other applicable state regulation
Ensure parents are notified and obtain their consent before collecting information from their kids.
Parents should be given the right to review the personal information collected from their child, revoke their consent, and delete their child’s personal information.
Have appropriate controls and procedures to protect the confidentiality, security, and integrity of personal information collected from children
You can read our blog on Children’s data here.
7. End of B2B exemptions
Personal information (PI) collected for business-to-business (B2B) transactions forms a significant volume of enterprise data. The B2B exemptions under the California Consumer Privacy Act (CCPA) applied to personal information of employees or business contacts collected for providing or receiving a product or service to and from another business.
However, these exemptions will cease to apply starting January 1, 2023, with the enforcement of the California Privacy Rights Act (CPRA). This means companies collecting PI of business contacts for providing or receiving a product or service to and from another business will have to comply with the requirements under the CPRA. This goes on to include the PI of workforce members, independent contractors, service providers and other business contacts that was collected to aid in providing or receiving a product or service to and from another business.
Here’s how you can prepare for this change:
Determine what B2B data is collected and stored by your organization
Assess the difference in CCPA and GDPR compliance with respect to B2B data
Create necessary privacy disclosures, third-party and service provider agreements
Set up system for honoring data subject requests (DSRs)
Determine how to deal with unstructured data (emails, messenger services, etc.)
Catch our webinar on the same topic here: The end of B2B Exemptions under CCPA
8. Geolocation Data
The California Privacy Rights Act defines precise geolocation as “any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.” Geolocation data is being collected and used by a large number of apps and devices these days. While location data may be required for providing several of these services, that is not always the case.
Recently, Google agreed to pay a sum of $391.5 million for settling an investigation into its location tracking practices. The investigation found that the company continued to track the users’ movements even when their location tracking features on Google were turned off and used that information for advertisers.
With states like California, Connecticut and Virginia considering geolocation data as "sensitive", businesses should be equally cautious while collecting and processing it. Here are a few points to implement for better compliance while using location data:
Obtain clear opt-in and consent from the user
Collect only what is required. For instance, if your app doesn’t require the user’s location at all times, then the data should be collected only when the app is being used.
Develop a retention strategy to ensure that the data is deleted when no longer needed.
End collection of data when the user opts out or when the service is no longer needed
Ensure location data is pseudonymized (i.e., does not include obvious identifiers, such as a name or phone number)
Encrypt data during transmission
Minimize data sharing with third parties and ensure they meet the same standards
Read more about geolocation data here.
9. Biometric Data Biometric data consists of biological markers or indicators that allow a person to be identified. Biometric identifiers are truly unique to an individual and a convenient means of authenticating individuals.
The GDPR classifies biometrics as a special category of personal data and restrains its processing in general for the purpose of uniquely identifying natural persons. In the US, HIPAA covers biometric data as it falls under the category of PHI. The state of Illinois is the first in the US that passed a biometric data privacy law called the Biometric Information Privacy Act (BIPA).
Here’s what businesses need to know while collecting biometric data:
Obtain necessary consent before collecting biometric data
The privacy policy should clearly explain the purpose and use of the data
Limit the use of biometric data to strictly necessary
Provide the data subject right to opt out or delete
Perform periodic deletion when data is no longer needed
You can read more about biometric data and biometric laws in this post.
10. Algorithmic Bias With the use of AI in recruitment, criminal justice system, credit approvals, etc., the impact of biased decisions has far greater implications affecting a larger population. What induces bias in algorithms? Algorithmic bias is not due to an anomaly in the algorithms, but in the data. If your data contains bias, then the AI model will end up amplifying embedded biases present within that data.
Algorithmic bias can have significant social impact and also lead to financial losses, legal disputes, and reputational harm for the stakeholders. Therefore, it is important that your training data includes diverse data sets and the model is tested vigorously to eliminate bias. In addition, having an effective framework around responsible AI will go a long way in ensuring fairness in the AI model. You can read more about it here.
Here’s what businesses should keep in mind while investing in AI models:
Ensure that your data set is accurate and diverse
Establish markers to detect bias in production environments
The AI system should be transparent enough for the users to understand, inspect, and reproduce the mechanisms through which the outcomes are being derived
Provide notice and choice to individuals who are subjected to automatic decision making
Have the necessary controls for protecting and securing personally identifiable information in data sets
Refer existing frameworks and self-regulatory codes for AI development
Comments