Global Privacy Year-End Brief: What’s Happening Now & What to Expect in 2023
ACA Aponix’s lead privacy expert, Alex Scheinman, accompanied by ACA Aponix’s Senior Director of Client Development, Tyler Pearson, and independent privacy consultant, Bill Schaumann, delivered a year-end review of the global privacy landscape on December 6, 2022. The webcast featured:
An overview of recent and upcoming data privacy laws in and outside of the U.S.
An examination of 2022 enforcement actions and statistics that reflect the impact of non-compliance with data privacy regulations.
A discussion on how firms should prepare to meet their regulatory privacy obligations.
Below are four key takeaways from the webcast. You can access this webcast on demand here.
- Privacy regulations are expanding
Due to expanding and evolving technologies alongside the increase in information companies collect from users and customers, regulators are increasingly focusing on ensuring users’ information is processed, handled, and stored responsibly and securely by organizations. In particular, since the introduction of GDPR in 2018, privacy regulations have expanded globally, placing new, and at times, overlapping compliance obligations on organizations.
The webinar hosts provided an overview of the global privacy landscape by sharing updates on privacy regulations that either entered the legislative process in 2022 and/or are slotted to go into effect in 2023, including Switzerland’s Federal Act on Data Protection, the introduction of the UK’s Data Protection and Digital Information Bill, updates to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and Saudi Arabia’s Personal Data Protection Law.
Without any federal privacy legislation in the U.S., various government agencies at the sectoral level, such as the Securities and Exchange Commission (SEC) and Federal Trade Commission (FTC), have established their own privacy regulations to fill this void. In particular, evidence suggests we could see more privacy regulations out of the FTC in the coming years under the leadership of Chairwoman Lina Khan, who is known as a stalwart for expanding the FTC’s authority to prosecute unfair and deceptive trade practices, including privacy violations. In fact, in August 2022, the FTC issued an Advance Notice of Proposed Rulemaking (ANPR), offering the public 60 days to submit comments on the prevalence of commercial surveillance1 and data security practices that harm consumers.
Privacy regulations are also expanding at the state level in the U.S. Of primary focus is California’s Privacy Rights Act (CPRA), which goes into effect 1 January 2023, replacing the existing CCPA. Alongside California, the speakers discussed four other states with privacy laws going into effect in 2023: Viriginia, Colorado, Connecticut, and Utah.
- Regulators are prioritizing privacy enforcement
The webinar hosts also shared how privacy enforcement is increasingly becoming a key priority for regulators, posing very real and expensive consequences for organizations found to be in non-compliance. As of October 2022, there were 1,298 issued GDPR fines totaling € 2,079,279,647 ($2,183,867,413), with the Finance, Insurance, and Consulting sector one of the top five sectors fined.2
While privacy enforcement actions in the U.S. are more disjointed than in the EU, various federal agencies investigate privacy-related cases at the sectoral-level, including HIPPA’s enforcement arm, The HHS’ Office for Civil Rights, as well as the FTC. To-date, the HHS’ Office for Civil Rights has issued civil penalties in 126 cases, totaling $133,519,272. As for the FTC, they have engaged in 66 privacy international enforcement cases since 2020 alone. At the state level, the speakers shared it is expected that the creation of a new enforcement body in California under the CPRA will lead to an upward trajectory in enforcement cases in the coming years, with other states following suit as they pass their own pieces of privacy legislation.
- Meeting privacy obligations is challenging
There are many key challenges firms face in meeting their privacy obligations that were cited in the webcast. For starters, as privacy regulations expand, organizations often find themselves under multiple jurisdictions, requiring them to navigate multiple laws that at times have varying obligations. Not only does learning and understanding these regulations require a specific subject-matter expertise, but it also requires significant amounts of time to stay up to date on changes and new regulations. For many firms, this poses as a serious resource constraint, as many lack in-house privacy experts.
Beyond understanding the regulations, it can be difficult to determine whether your organization must comply due to the sheer quantity and diversity of data housed across the enterprise. Without proper data inventory and classification methods, it is especially difficult for organizations to determine which laws they must comply with. The reliance on third-party vendors further complicates understanding the types of data used and how they are stored, posing further challenges to navigating the web of privacy regulatory requirements.
- Organizations need a dedicated person and/or office to coordinate data privacy
Privacy regulatory obligations intersect cross-functionally across an organization, making compliance a shared responsibility across legal, IT & info security, HR, and other core business functions. As shared in the webcast, regardless of the specific regulation, privacy obligations often include or result in the following:
Developing secure data policies and procedures
Training staff on the proper handling of Personally Identifiable Information (PII) and data security best practices
Maintaining the security and integrity of stored data
Ensuring the secure transmission and storage of data by third-parties
Conducting privacy impact assessments
Issuing privacy notices
Fulfilling individual rights management
Conducting incident response planning
Issuing breach notifications (when applicable)
Monitoring of regulations, the use of PII, and any relevant changes to business practices
To tackle the challenges and cross-cutting nature of meeting privacy obligations, the speakers emphasized the need for an enterprise-level, coordinated approach. Having a dedicated person and/or office responsible for data privacy can help coordinate an organization’s efforts in navigating and complying with privacy regulatory requirements. As privacy obligations intersect across legal, IT, info security, HR, and other core business functions, it is important to have someone overseeing these efforts to ensure privacy obligations are being met while supporting the organization’s primary business objectives. For organizations without sufficient internal capacity, know-how, or expertise, they can supplement their efforts via an external virtual privacy office (VPO) to effectively address their privacy obligations.
How we help
We understand that much of the privacy landscape is new and difficult to understand and manage alone. ACA offers data privacy compliance services to assist with assessing a company's compliance with relevant privacy regulations. Through the implementation of best practices, we can help companies achieve broader privacy risk and compliance objectives. Our team of experienced consultants can review a company’s personal data collecting activities to build a data inventory, identify risks and gaps, provide recommendations on addressing those gaps, and support the implementation of privacy requirements.
Learn more about our privacy services and solutions here.
For questions about this webcast, or to find out how we can help you meet your regulatory cybersecurity obligations, please reach out to your trusted cyber adviser or contact us here.
Watch our webcast on demand
There has been a great deal of traction with privacy regulation over the past few years. Nations across the globe have either passed data privacy laws or are legislating them now. With few indications of a slowdown, keeping up with and understanding current and expected regulatory changes can feel overwhelming.
This webcast presents a comprehensive summary of the state of global data privacy that will aid firms as they prepare for 2023.