As new privacy regulations continue to appear globally, there is mounting evidence to suggest that most organizations – regardless of size or type of business – are unprepared to deal with them in an effective manner. That’s one of the big takeaways from a recent September 2019 report from the Internet Society’s Online Trust Alliance (OTA), which analyzed more than 1,200 privacy statements from organizations around the world to see how well they adhered to new privacy regulations such as the European General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Canada’s Personal Information Protection and Electronic Document Act (PIPEDA).
Pros and cons of existing privacy statements
According to the OTA report (“Are Organizations Ready For New Privacy Regulations?”), most organizations get the basics of privacy right in their privacy statements. After all, they’ve now had nearly 18 months to deal with the realities of a post-GDPR regulatory landscape, and have been inundated with stories about data privacy in the media. As a result, 98 percent of the 1,200 privacy statements in the study included at least some language from legal teams about “data sharing.” Moreover, two-thirds (67%) of organizations noted in their privacy statements that they do not share personal data with third party organizations.
That’s the good news. However, if you dig a little deeper, it becomes clear that most privacy statements are still not going far enough when it comes to keeping up with new privacy regulations. For example, in the cases where organizations do share data with third parties, not a single privacy statement explicitly noted that users would be notified when their data was being either sold or shared. And just over one-half (57%) of organizations specifically noted in their privacy statements that they hold third parties to the same standards as themselves.
As part of its analysis, the OTA mapped its own privacy guidelines to those contained within new privacy regulations appearing worldwide (such as the CCPA), and then checked whether organizations were also following those privacy guidelines when writing up their own privacy statements. Specifically, the OTA was checking to see whether or not privacy statements included language about the ability for users to access, download, and delete their personal data. Moreover, the OTA checked to see if privacy statements were easy to read, easy to find, easy to understand, and easy for users to apply in real life.
While 70% of organizations had a clear point of contact for users concerned about the use of their personal data, the quality and nature of this contact could vary widely. Some companies, for example, included the direct contact information for their Data Protection Officer (DPO). Others, however, simply included a generic email address for questions and concerns.
The OTA specifically noted within its report that a majority of organizations it analyzed were based in the United States, and thus, were not “legally obligated” to follow data privacy guidelines that pertain to data processing outside of the U.S. Moreover, some of the most important new privacy regulations – such as the CCPA – are not due to go into effect until 2020, giving organizations a few more months to get their house in order. Yet, the overwhelming picture that emerges from the OTA report is that organizations simply are not ready for the upcoming deluge of new privacy regulations.
Kenneth Olmstead, Internet Security & Privacy Analyst at OTA, commented on the findings of the report, especially as they relate to the ability of smaller organizations to keep up with new privacy regulations: “The trick for any SMB is to understand which jurisdictions they operate in. Even in the United States at the state level that is evolving and becoming more complicated. Most large privacy regulations (GDPR, CCPA, and PIPEDA covered in this paper) also have robust websites with lots of information and ‘how to’s’ to comply with each law. There are several organizations that track laws as they develop around the world as well – the International Association of Privacy Professionals (IAPP) is one example.”
The new post-GDPR regulatory landscape
In many ways, the enactment of the European GDPR in May 2018 set into motion an entirely new approach to data privacy and data security. This paradigm shift included new thinking about how to manage the enormous flows of data passing into and out of organizations on a daily basis, and how to report this information to customers and users. And it also established the fact that organizations would have to start dealing with enormous fines and penalties for any lapses in data privacy or any data security breaches.
At the beginning of 2019, the one example that got people’s attention was a more than $50 million fine handed out by the French National Data Protection Commission (CNIL) against Google for “a lack of transparency, inadequate information and lack of valid consent regarding ads personalization.” That one case opened the door to larger and larger fines against tech giants not just in Europe, but also around the world.
New privacy regulations on the horizon
Of the new privacy regulations on the horizon, the one that has everyone’s attention right now is the California Consumer Privacy Act (CCPA), set to go into motion in January 2020. Since California is the home of most of the world’s biggest tech companies – including the likes of Apple, social media giant Facebook and Google – it’s easy to see how the CCPA could have far-reaching implications for data management. Already, at least 10 other U.S. states have new privacy regulations close to being put into effect, and there is suddenly debate at the national level about the passage of federal privacy legislation that would help to unify all of the competing laws and regulations. Right now, the approach at the federal level has been a piecemeal approach to data privacy, with each new law covering just a very tiny piece of a much larger data privacy puzzle.
And that doesn’t even begin to scratch the surface with what is happening globally. Brazil, for example, is set to debut its General Data Protection Law (LGPD) in August 2020. Nations from Asia to Latin America are going to debut new privacy regulations as well.
Dealing with new privacy regulations
Clearly, organizations need to be doing more than just coming up with fancy new privacy statements in order to deal with the new privacy regulations. According to top privacy researchers, organizations need to be doing more to integrate privacy and security into every aspect of their business processes. Instead of waiting for privacy issues to surface at a later date, companies should be taking a much more proactive stance toward data privacy and data security. Instead of outsourcing their trouble-shooting to bug bounty programs, they should be looking to make data security part of their overall enterprise risk management framework.
“Privacy regulations around the world are evolving and compliance will soon be a requirement, not a choice,” said Kenneth Olmstead, Internet Privacy and Security Analyst at the Internet Society’s Online Trust Alliance. “Within the U.S. alone, multiple states have privacy laws in motion. It’s in the best interest of all organizations to keep up-to-date on these laws as the requirements change. Protecting customer’s data will not only be an essential component of fostering loyalty and trust, but will also become necessary to avoid heavy fines.”
With so many new privacy regulations on the horizon – combined with the fact that regulators around the globe are becoming much more aggressive about penalizing privacy laggards that ignore data privacy laws – organizations need to be taking the next big step to protect themselves from legal and regulatory risk. GDPR was just the start, and there is no longer any way to reset the clock and go back to an earlier period of time. Privacy is now a central issue that is top-of-mind for consumers, regulators and legislators around the globe.