Data breaches frequently made the headlines throughout 2021. Phishing and ransomware proved to be the two most popular tools for bad actors. Fines and number of affected individuals were massive — not to mention service disruption. The Colonial Pipeline ransomware attack by DarkSide disrupted the petroleum supply chain along much of the East Coast. Facebook saw 214 million records breached, and Amazon Europe was fined a record-breaking $845 million for misusing customer data for targeted advertising.
What’s especially concerning according to the Identity Theft Research Center (ITRC) is that authorities seem to be more resistant to discussing data breaches. For example, “One state has not posted any data breaches since last September. Withholding important information or failing to post notices on a timely basis may serve to prevent individuals from taking actions to protect their identities.” In comments prepared for the US Senate Committee on Commerce, Science and Technology, James Lee, CEO of ITRC indicated data quantity is no longer the goal of an attack; data quality is. The move is away from identity theft and towards identity fraud where thieves monetize the data they steal.
At the same time, the trend is for organizations to take data privacy seriously and not simply just meet regulatory requirements. Organizations are working to make trust a differentiator and weave it into all business practices and employee training. Gartner reports that by 2023, companies that earn and maintain digital trust with customers will see 30% more digital commerce profits than their competitors.
Data Retention atop the Priority List
2021 saw data retention and storage limitation become critical topics for legal, compliance, and privacy. Regulations and litigation associated with over-retention pushed retention to the top of information governance priority lists. Record retention practices and storage limitations are key data processing principles under the GDPR, but new US laws such as the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA) include similar data retention provisions. Personal data must be stored only as long as needed to achieve the purpose for which it was collected.
Thoughts around data retention are shifting away from storing all data forever to a risk-based approach. For example, in recent litigation based on Illinois’ Biometric Information Privacy Act, it was concluded that simply holding data longer than its specified retention period, even when no breach occurred, was privacy harm. In addition to litigation risks, over-retention of data increases operational costs when responding to data subject requests and eDiscovery collections. Organizations that over-retain data will have to search through masses of unstructured data to fulfill subject access requests especially when look-back periods expire. In addition, consider the inefficiencies encountered by individuals searching for data just to complete their daily tasks.
The goal of retention and storage limitation principles is to minimize risk to the privacy and security of personal data. The longer a business retains personal data, the greater the chances for unauthorized or unlawful access, use, or disclosure of that data.
Throughout 2021, privacy laws surfaced around the globe. New regulations were enacted in Canada, Asia-Pacific, Latin America, Europe, and Africa to name a few. In fact, the IAPP publishes weekly Global News Roundups summarizing global privacy activity. Some of these newly enacted regulations such as China’s Personal Information Protection Law had very short runways before taking effect.
With so many international regulations and not enough newsletter space available, let’s focus on US 2021 highlights.
- Although the CPRA was approved by California voters on November 3, 2020, it’s worth including with 2021 highlights as many states introducing regulations throughout the year used it as a blueprint. It’s expected more states will do so during their next legislative sessions. The CPRA amends the CCPA and will take effect on January 1, 2023. However, it contains a 12-month lookback provision, meaning organizations must make sure their data collection practices are compliant with the CPRA from January 1, 2022. This regulation brings California’s comprehensive privacy laws closer to those of the GDPR. Among other things, it introduces new consumer rights such as the Right to Rectification and the Right to Limit Use and Disclosure of Sensitive Data. In addition, it creates an agency, California Privacy Protection Agency, to enforce CPRA compliance.
- The Virginia Consumer Data Privacy Act (CDPA) was signed into law on March 2, 2021, and takes effect on January 1, 2023 – same day as the CPRA. The CDPA is the second US comprehensive data privacy law and mirrors the CPRA in many respects. However, a few key differences exist such as consumers must opt-in to the collection and use of their sensitive data. In addition, it requires Data Protection Impact Assessments for any processing activity involving targeted advertising, data sales, profiling, sensitive data, or any processing that may increase a “risk of harm”.
- The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and takes effect July 1, 2023. It’s the third comprehensive data privacy regulation in the US. Again, this regulation is like California’s and Virginia’s but will take some additional efforts to show compliance. This regulation requires organizations to implement a means for consumers to opt-out of the processing of their personal data for purposes of profiling. It also specifically indicates organizations can’t use dark patterns for obtaining opt-in consent from consumers.
- Unlike many other countries around the world, the US does not have a comprehensive federal privacy law. However, during 2021, several senators urged the Federal Trade Commission to use its rulemaking authority to create a “national standard for data privacy and security.” They stressed these national standards should prohibit exploiting children and teens, include opt-in consent rules for the use of personal information, and provide global opt-out standards. President Biden also nominated Alvaro Bedoya to serve as an FTC commissioner. Bedoya is the founding director of Georgetown Law’s Center on Privacy and Technology. Following this nomination, the House Committee on Energy and Commerce voted to appropriate $1 billion over ten years to the FTC to establish and operate a new privacy bureau. With its rulemaking authority, the FTC may now provide broader privacy and security oversight.
It’s still expected that more than 30 states will introduce some type of privacy bills in their upcoming legislative sessions, so stay tuned for another busy year on the privacy regulations front.