Companies must effectively process and manage data rights as new privacy and data protection laws are enacted worldwide and people become more educated on their rights to access, delete and correct their personal data. The mandate will expand as online purchases grow.
California Proposition 24, which passed in the November 2020 election, extends the state’s consumer privacy legislation — CCPA — to the Consumer Personal Information Law and Agency Initiative. A vote for the proposition expanded the state’s consumer data privacy laws.
In one of the biggest changes, said Heather Federman, vice president of privacy and policy at BigID, "California will have its own dedicated agency that enforces CPRA, which will have its own budget to go after companies that do not comply," she said. "Even if you’re a company that doesn’t get a lot of requests to remove data, there are still requirements you can get dinged for. If you mess up one of two requests per year, regulators could come after you.”
These new laws included provisions that allow consumers to direct businesses to not share their personal information, to remove the time period in which businesses can fix violations before being penalized, and to create the Privacy Protection Agency to enforce the state’s consumer data-privacy laws.
Believe it or not, I have friends in California who did not realize the extent of this proposition.
“It doesn’t surprise me and it’s pretty consistent among my non-privacy friends,” Federman said. ”There’s a gap in consumer awareness, but I expect this to change.”
Big ID partnered with the International Association of Privacy Professionals (IAPP) to conduct a study on the state of consumer rights, and one statistic that emerged stated that by July 2020, only 13% of companies received requests to remove consumer information. Most were big brands.
To drive the survey, BigID asked more than 475 privacy professionals worldwide to examine current data-rights practices through the organizational structure to tell how these practices may change in the future.
This report summarizes the findings, focusing on how companies approach data rights; how they track, process, and fulfill requests; and in which areas they intend to invest in the future.
U.S. companies plan to invest in data-rights management resources, much more than those located in the rest of the world.
Overall, 51% of companies said they would invest in data discovery, inventory and mapping, whereas 34% would invest in consent and preference management. Some 30% cited enhancements in the creation of consumer privacy portals, and only 8% said they would invest in advisory services.
The way companies choose to build first-party data repositories continues to change. Half of respondents said they use surveys to build their data inventories, while about 30% use data catalogs, privacy-specific data discovery or data classification tools, either together or separately.
Federman, former head of privacy at Macy’s and American Express, pointed to a lack of standardization and consumer awareness, and underscored that the responsibility remains with the consumer to go to the hundred-plus websites they might interact with to opt out.
CPRA does not help consumers manage their privacy.
Whether or not brands do business today in California, this proposition will influence a nationwide mandate in the future, because state legislators, and brands working with them are pushing to create a federal law.
Two main challenges would have to be overcome to get a federal privacy law, “whether or not there’s some form of a private rate of action, and whether or not there’s federal preemption,” she said. “If somehow these two are negotiated, the U.S. might live in a world with federal privacy regulation.”
She said take a look at the U.S.’s data breech notification laws, there are 50 different state notification laws. In 2018 there was a huge call to have some sort of security law, and the U.S. still couldn’t get it together.
“I could see a universe where privacy will become a market differentiator,” she said. “They might say ‘we offer you seamless, easy access to your data’. But I’m not sure if anyone will go out and market their privacy practices” -- other than what has been seen from Apple.
When Apple releases its changes to iOS, the industry could adopt a standard "nutrition label," which might make it easier for consumers to understand the types of data that apps might collect about them, she said.