Preparing For the Next Wave of Data Privacy Obligations
Some things just are better together. Peanut butter and jelly. Coffee and cream. Batman and Robin. Salt and pepper. Security and privacy.
In today’s world, companies need both. They collect more data than ever before, keep it longer, and use dozens of cloud tools to store and access it on demand. According to Statista, global cloud IT infrastructure spending will exceed $133 billion by 2026 — a rise of nearly $100 billion over the previous ten years.
Businesses and customers definitely enjoy their real-time data. But they need to trust that it never falls into the wrong hands or gets in front of the wrong eyes. That’s where security and privacy come in.
Data privacy is critical for business operations
Security is all about protecting data from unauthorized access. If you want to keep bad actors outside your systems, you should do everything from deploying software solutions to training your employees to identify phishing emails.
Once you’ve secured your data, you must control and govern it. That’s what privacy is about — determining which data your company collects, how you use it, and with whom you share it.
Data is the foundation of many business actions, whether sending critical documents or making financial trades. So data privacy is critical to incorporate into core business operations.
A decade ago, it was still somewhat possible to start a business, collect all the data you wanted, and figure out privacy later. Now they must be done hand-in-hand, especially with the recent wave of data privacy laws — and the many more to come.
A brief history of data privacy laws
The modern era of data privacy began with General Data Protection Regulation (GDPR), which went into effect in the European Union (EU) in May 2018. GDPR is considered the gold standard of privacy laws because of its scope.
For example, if your company is based in the EU, sells or markets to people living in the EU, or purposefully tracks their behavior, you could be subject to GDPR’s maximum fine of €20 million or 4% of worldwide annual revenue (whichever amount is higher).
GDPR lays out stringent rules on how companies can use data. Companies must generally notify individuals about data collection, use, and sharing. GDPR also requires companies to have lots of documentation. Overall, the EU’s fundamental philosophy places the individual first and the company second.
By contrast, in the United States, data privacy has typically taken the opposite approach, where the individual’s privacy rights are secondary to the company’s. But this is changing, especially in states with privacy laws.
California was the first state to have a comprehensive state privacy law: the California Consumer Privacy Act (CCPA). It became effective in January 2020, and this year it was updated with an amendment called the Consumer Privacy Rights Act (CPRA).
Since then, more states have followed (not limited to):
Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023
Connecticut Data Privacy Act (CTDPA), effective July 1, 2023
Colorado Privacy Act (CPA), effective July 1, 2023
Utah Consumer Privacy Act (UCPA), effective December 31, 2023
These laws require companies to have detailed privacy notices and list specific requirements for collecting, using, storing, and sharing data. Essentially, they make companies consider the business purpose of their data — which can result in the need to change how you process data.
Remember that states can differ in how they define "sensitive" data. In privacy laws, sensitive data often include qualitative measures that could jeopardize an individual’s freedoms, such as race, gender, health, sexual orientation, religion, and more.
Why trust is critical for data privacy
While these data privacy laws establish baselines for compliance, they also guide companies in building trust with individuals. The last thing businesses want to do is engage in secret, sneaky data practices that can potentially damage customer relationships.
Protecting customer data is critical, but how your company uses it is equally important. Do you sell it to another company? Do you use it for analytics that would surprise customers? Do you upload it to third parties that use it on their own or don’t take proper precautions with it?
The future of data privacy laws
What ultimately unites these laws is the modern trend toward individual rights. Across the new data privacy laws are common features like the right to know, the right to access information, the right to delete information, and the right to opt out of data collection. Depending on the exact law, there are many others as well. But the idea that the data belongs to the individual who can exert control over it is critical to understanding privacy.
We’re just getting started with privacy laws — in the coming years, many more will be introduced in the US and globally. If you’re running a company, you should consider privacy with every new marketing activity, every new cool product feature, and every new website or software implementation. Focusing on privacy today will give you a head-start on your competitors. If you bake privacy into your daily business, you will be ready for the next wave of privacy obligations.
Go ahead, make my day, and share this article with all your besties.
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD