Data privacy has never been more top of mind. From regulators to businesses, privacy professionals to consumers, and more, everyone has a stake in data privacy.
With all this attention and focus, the data privacy world is evolving at a break-neck pace—not just in terms of legislation, but also in terms of best practices, awareness, and risk.
What are the biggest trends in data privacy in 2023?
1. Consumers have more ways to manage their privacy
For years, consumers really only interacted with two systems when exercising their privacy rights:
- Individual cookie pop ups on each and every website they visited.
- An email address or form for data subject access requests (DSARs).
Customers need to know what a DSAR was before they could make one, what types of requests they can make, and where to find the mechanism for initiating a DSAR. It’s a lot of work for the average consumer to make a DSAR.
When it comes to interacting with cookie banners, most consumers just close the pop up or banner as soon as possible or arbitrarily clicked on whichever button was closest to their mouse. For many consumers, these are just frustrating features they don’t understand the need.
But that’s changing—both in terms of consumer awareness and tools that make consumer data privacy management easier.
The Global Privacy Control (GPC), for instance, enables consumers to set their consent preferences just once and then propagates a preference signal to every website the consumer visits. Under many privacy laws, businesses are explicitly required to honor these universal opt-out signals.
Then, there are tools like Permission Slip, which makes it simpler to issue a DSAR. Rather than dig around a company’s privacy policy and become educated on the nature and limits of data privacy rights, consumers can use an intuitive app that uses everyday language. Tools such as these can even automate DSARs so a consumer can request the deletion of their data on a monthly basis, for example.
What does this mean for privacy professionals? It means they’re going to be needed.
The easier it gets for consumers to exercise their rights, the more businesses will need dedicated privacy professionals and methods for automating compliance tasks. Not only does this mean businesses will need to handle consent and DSARs at scale, but they’ll also need to pay more attention to all aspects of compliance, such as vendor management, data security, data minimization, and more. With these additional compliance aspects in place, businesses become better positioned to quickly respond to consumer requests, protect other individuals’ data in DSARs, provide proof of consent, and so on.
2. More enforcement from more sources
It seems like every month there’s a major headline about a seven- or eight-figure fine against tech companies violating the GDPR. But privacy advocates and data protection authorities alike insist that the current level of GDPR enforcement is not enough. We may very well see even stronger enforcement coming from Europe as result.
Data privacy regulations are only just entering the enforcement stage in the U.S., but early signs indicate that these laws have bite to match their bark. The California Attorney General has already issued a seven-figure fine against Sephora.
While attorneys general only have so much bandwidth for pursuing enforcement, California has its own enforcement agency—the California Privacy Protection Agency (CPPA)—whose sole purview will be to enforce data privacy regulations in California. Given the size of the California market, we can expect many, many businesses to be subject to data privacy enforcement.
3. SMBs are building their own data privacy programs
The largest enterprises are exposed to the greatest risk from data privacy regulations; correspondingly, they’ve been the only organizations that traditionally needed and invested in data privacy programs. That’s changing.
There are plenty of examples of data privacy regulators going after small- and medium-sized businesses (SMBs)—in fact, GDPR regulators have seen fit to issue fines as small as €28.
Furthermore, the thresholds for a business to be subject to the GDPR, CCPA/CPRA, and similar laws are very low. Under the CCPA/CPRA, for example, any business that works with the personal information of 100,000 California people or households is subject to the law (among other requirements). If your business has any kind of digital presence, it’ll hit that threshold rather quickly.
SMBs are recognizing and responding to this fact. Let’s define SMBs as those businesses earning less than a billion in revenue a year. Under that definition, research by the International Association of Privacy Professionals (IAPP) shows SMBs are investing around half a million dollars into their privacy programs each year—and for the immediate future, that figure is only going to grow.
4. Data is no longer the new oil
A 2017 Economist article was the first to popularize the idea that the world’s most valuable resource was not oil, but data. The idea that data was the new oil quickly became a widely shared belief.
Data is valuable, to be sure, but the comparison to oil does away with any nuance and ignores the reality of modern digital businesses. FAANG companies (Facebook, or Meta; Apple; Amazon; Netflix; and Google, or Alphabet) became enormously successful due in part to their dragnet-style data collection practices. Now, they’re the biggest targets of data privacy regulators, and while personal data collection has fueled their growth, it hasn’t come without additional risk and management requirements.
Data isn’t an inherently valuable commodity that needs to be collected at all costs. Businesses are recognizing (with the gentle nudging from data privacy regulators) that the value of data provides diminishing returns; at a certain point, it just becomes a source of excess risk.
Toeing this line through effective, efficient data minimization practices is separates those businesses that effectively turn data into revenue without violating privacy rights from those that are just asking for a data breach or a privacy investigation.
5. Companies are in wait-and-see mode, but they may be waiting too long
With the number of new and updated legislation in the privacy world, many businesses are wary of diving into building a privacy program head first. Some businesses that operate in the U.S. are waiting until a federal data privacy law hits the books or until they hear of significant enforcement actions in their industry.
Businesses inclined toward waiting general fall into three camps:
- Those who are building the foundations for their privacy program, but aren’t committing to larger, more advanced or less impactful initiatives.
- Those who are addressing their privacy challenges on a one-off basis
- Those who aren’t taking any actions whatsoever.
Out of these groups, only the first is really responding to the uncertainty in the privacy landscape appropriately. It should be noted that some businesses are truly committed to privacy and have secured budget and buy in to build a fleshed-out, holistic data privacy program; that isn’t feasible for everybody. In this case, businesses are best served by investing enough time and energy to establish the foundational, fundamental elements of their privacy programs. That way, they’ll be quick to scale up when the realities of data privacy compliance come to the fore.
What does this look like? Privacy professionals who are tasked with establishing a data privacy program foundation should:
- Establish the long-term plan for their program.
- Define the metrics they’ll use to measure success and to build the case for their program, such as measuring the time and cost spent fulfilling DSARs.
- Prioritize current legislation for compliance goals—for example, a business subject to all current U.S. state laws could reasonably prioritize compliance with the CCPA/CPRA and build toward eventual compliance with the others.
- Conducting a data inventory/record of processing activities (RoPA), crafting a privacy policy, and building a case to secure buy in from other stakeholders.
How should businesses and privacy professionals respond to these trends?
Really, these different trends are all the same trend: Data privacy compliance is becoming more important for modern businesses. Consumers are becoming savvier and better equipped, enforcement authorities are on the prowl, businesses of all sizes are building privacy programs, the risk inherent to data collection has become more obvious, and companies are paying attention to the space. All of this adds up to a level of focus on data privacy that has never been higher.
At the same time, there is also widespread confusion around where to start. There is a lot to compliance, and prioritization is a challenge. For businesses and privacy professionals looking for guidance on what comes next, we recommend checking out Osano’s action plan for data privacy compliance in 2023.
