Over the last couple of years, consumer and regulatory pressure has forced corporate legal departments to adopt higher and more methodical standards when it comes to protecting and managing consumer data.
2020 has been no different thus far, and the main issues surrounding data management and consumer privacy will only accelerate as we move forward into the final months of the year. COVID in particular has raised unprecedented challenges and concerns around the security of personal data, and companies’ adaptation to the California Consumer Privacy Act (CCPA) has kept data privacy teams busy.
In this 2020 election season and a year of continued congressional inquiries into technology giants for their monopoly on user data, marketers that rely on consumer data may face additional changes based on the election results, changes in the EU, and policy decisions by technology giants that will require privacy professionals to continue to sharpen their data programs as to how they collect, store and transfer information.
Here are three major trends and events to look out for as we close out the year and head into 2021.
1. A new California privacy law is on the way, and the federal government is up for grabs.
There’s quite a bit at stake in this November’s general elections when it comes to continued strengthening of privacy regulations.
In California, residents will vote on the California Privacy Rights Act (CPRA), which would eclipse the CCPA as the country’s most stringent state-level privacy law. If passed, the CPRA would incorporate many of the same elements that make up the GDPR, including the creation of the first U.S. agency dedicated entirely to privacy protection and a new right for consumers to correct inaccurate data that companies have about them.
The proposed legislation gives consumers a great deal of power over a very broad set of data, and provides for the first U.S. agency solely dedicated to data protection efforts. If passed, and consumer sentiment remains positive, this would likely serve as a template for U.S. states looking to follow California’s lead.
At the national level, the outcomes of the upcoming presidential, congressional and senate races could increase legislators’ appetites to pass new laws, and if Democrats gain elected seats, it may lead to accelerated federal legislation.
2. The EU continues to change how companies will transfer data internationally
In addition to legislative pressure, businesses in the U.S. are now forced to contend with new decisions coming out of international courts.
Earlier this year, a major decision from the EU’s top court struck down Privacy Shield, a transatlantic data transfer mechanism that allowed companies to move data between the EU and the U.S. As a result of this decision, businesses will no longer be able to use the Privacy Shield as a valid instrument to move EU residents’ data to countries with looser privacy protections.
For businesses that invested in becoming Privacy Shield certified, this means finding an alternative method that works with the organization’s needs is yet another task, and for those that were otherwise relying on standard contractual clauses, revisions to those clauses or data transfer agreements will likely be necessary.
Compounding the issue is the multitude of data protection authorities that will likely interpret the decision in slightly nuanced ways, and international companies that operate in Europe must still await further guidance.
Moreover, as the UK continues to transition out of the EU, the withdrawal agreement that is currently governing data transfers between the U.K. and the rest of the EU through the end of the year expires. This will result in additional complications regarding multinational organizations that are currently transferring data to and from the UK. If not yet started, organizations must undergo further analysis of current UK and EU data transfers, select how to continue to legally transfer data between the UK and the EU, and any other country currently engaged in a data transfer, and update paperwork with all clients and partners that will now be considered an international data transfer. This will likely result in months of ongoing efforts to accurately transition paperwork to new entities, and update contracts or data processing agreements.
3. Big tech players are responding to new consumer expectations
Meanwhile, big technology companies are facing pressure from other companies, governments and consumers demanding stronger privacy protections, either by threatening to withhold their business or by filing potentially costly lawsuits.
Just recently, search advertising giant Google was hit with a $5 billion proposed class action claiming that the company improperly collects data from consumers using incognito mode. Now Google is tightening the reins on marketers in terms of how they use third-party data to target users within its ecosystem. Apple has also responded to mounting pressure by introducing new protections and disclosures for mobile app developers using its App Store for distribution, an action that will likely create more need for stringent review for marketers and their data sharing capabilities..
As consumers continue to push for more control and transparency, big tech has made it clear they will respond by introducing new privacy rules as a way of presenting themselves as more attractive options to the public. This means that organizations will need to grapple with policy decisions emerging from companies in the eco systems, as well as legal implications from new laws.
Change is coming, and businesses need to be ready
With many upcoming decisions, legal departments should be ready for an eventful end to an already active 2020.
In a fast-moving regulatory and policy-driven environment, and in a world that has increasingly gone digital, brands cannot afford to wait until decisions are finalized. Instead, marketers should plan for new compliance measures that are on the trajectory of where new policies or laws are headed to allow for allocating the right resources and frameworks to match upcoming modifications. By ramping up investments in tech and strategic personnel hires now, it will help businesses refocus their long-term data strategies and enable them become much more agile when dealing with future privacy requirements.