The data privacy landscape is in constant flux, and it’s not easy to predict everything that will happen over a year. If you had asked us what the top privacy issues of 2020 would be in December 2019, we probably wouldn’t have picked remote work options as an answer.
But here we are.
While we can’t forecast every privacy development on the horizon, there are a few things coming up in 2022 that every business should prepare for.
Even though it doesn’t go into effect until January 2023, the California Privacy Rights Act (CPRA) applies to all information collected from January 2022 onward. That means that if you operate in California or collect information from its residents, you need to spend 2022 getting compliance-ready for this new law.
The CPRA provisions most businesses will have to prepare for include:
• Protections for “sensitive personal information” (social security numbers, precise geolocation, financial data, race, religion, sexual orientation, biometrics, genetic info, medical history, etc.)
• Equalization of “sharing” and “selling” data
• “Limited and specific purposes” for the sale/sharing of data
• Strict obligations for third parties’ data processors
As part of the new regulation, CPRA created its own enforcement agency and increased fines for non-compliance, so staying on top of your data privacy program will be critical to avoid negative repercussions.
New State Privacy Laws
There isn’t a federal law protecting individual user data, and other than California, only Virginia and Colorado have passed their own independent-but-comprehensive privacy legislation that will be effective in January 2023 and July 2023, respectively. (Let’s take a moment to really hammer in that Virginia and Colorado’s laws are unique to them, so you won’t be able to just copy-paste from your CCPA/CPRA playbook.)
But that doesn’t mean other states aren’t trying. Seven states currently have active data privacy bills, and 19 states proposed laws this last session that failed or were postponed. At least some of those states, along with a few new ones, will likely propose new bills in 2022 legislative sessions.
That means that more privacy regulations are on their way, and no matter where you or your customers are based, you need to be prepared. Smart companies will take this time to implement data privacy best practices like data mapping, opt-out/opt-in functionality and preference centers. These steps will make it much easier to comply with whatever new legislation is passed.
Changes At Apple And Google
After Apple’s App Store increased transparency into data practices by requiring user consent before apps could track users or sell their data, Google followed suit. Starting in 2022, Google’s marketplace, Google Play, will require developers to disclose what types of data their apps collect, how they store it and what they use it for.
Continued Remote Work Expectations
While many businesses are reopening their offices, the Covid-19 pandemic has created an undeniable shift toward remote work. Companies like Adobe, Twitter, and Spotify have announced a variety of partial and permanent work-from-home options.
Around the world, businesses of all sizes are experimenting with variable work schedules and remote work options for all their employees. However beneficial this flexibility is, it also exposes a company to more risk. A recent Tenable study found that 74% of organizations (registration required) relate recent business-impacting cyberattacks to vulnerabilities related to remote work.
This means that there is an urgent need to decentralize and strengthen privacy practices and protect network access. Key updates to make include:
• Password and access policies
• Requirements for two-factor authentication
• Robust and ongoing privacy training for employees
Data privacy laws exist because of the advocacy of consumer privacy activists. As these laws become more common, data privacy is slowly shifting from a fringe advocacy focus to an expected consumer right. According to a Pew Research Center study, 52% of individuals won’t purchase a product or use a service if they’re concerned about the privacy or security of their personal information.
The bottom line: Privacy matters to everyone, regardless of what regulations apply to your company. Even if your company doesn’t operate or have customers in California, even if you don’t have an app and even if your state isn’t actively pursuing privacy legislation, your users expect more control over how their personal information is collected and used.
Plan, Don’t Panic
Data privacy is complex, but it’s only hard if you wait until you are up against a hard deadline to create your privacy program. If you plan ahead for the changes we know are coming in 2022, your company will be more prepared to handle whatever privacy issues come your way.