
CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?
Read NowThe simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline the DSAR workflow
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
February 9, 2023
Data privacy has never been more top of mind. From regulators to businesses, privacy professionals to consumers, and more, everyone has a stake in data privacy.
With all this attention and focus, the data privacy world is evolving at a break-neck pace—not just in terms of legislation, but also in terms of best practices, awareness, and risk.
For years, consumers really only interacted with two systems when exercising their privacy rights:
Individual cookie pop ups on each and every website they visited.
An email address or form for data subject access requests (DSARs).
Customers need to know what a DSAR was before they could make one, what types of requests they can make, and where to find the mechanism for initiating a DSAR. It’s a lot of work for the average consumer to make a DSAR.
When it comes to interacting with cookie banners, most consumers just close the pop up or banner as soon as possible or arbitrarily clicked on whichever button was closest to their mouse. For many consumers, these are just frustrating features they don’t understand the need.
But that’s changing—both in terms of consumer awareness and tools that make consumer data privacy management easier.
The Global Privacy Control (GPC), for instance, enables consumers to set their consent preferences just once and then propagates a preference signal to every website the consumer visits. Under many privacy laws, businesses are explicitly required to honor these universal opt-out signals.
Then, there are tools like Permission Slip, which makes it simpler to issue a DSAR. Rather than dig around a company’s privacy policy and become educated on the nature and limits of data privacy rights, consumers can use an intuitive app that uses everyday language. Tools such as these can even automate DSARs so a consumer can request the deletion of their data on a monthly basis, for example.
What does this mean for privacy professionals? It means they’re going to be needed.
The easier it gets for consumers to exercise their rights, the more businesses will need dedicated privacy professionals and methods for automating compliance tasks. Not only does this mean businesses will need to handle consent and DSARs at scale, but they’ll also need to pay more attention to all aspects of compliance, such as vendor management, data security, data minimization, and more. With these additional compliance aspects in place, businesses become better positioned to quickly respond to consumer requests, protect other individuals’ data in DSARs, provide proof of consent, and so on.
It seems like every month there’s a major headline about a seven- or eight-figure fine against tech companies violating the GDPR. But privacy advocates and data protection authorities alike insist that the current level of GDPR enforcement is not enough. We may very well see even stronger enforcement coming from Europe as result.
Data privacy regulations are only just entering the enforcement stage in the U.S., but early signs indicate that these laws have bite to match their bark. The California Attorney General has already issued a seven-figure fine against Sephora.
While attorneys general only have so much bandwidth for pursuing enforcement, California has its own enforcement agency—the California Privacy Protection Agency (CPPA)—whose sole purview will be to enforce data privacy regulations in California. Given the size of the California market, we can expect many, many businesses to be subject to data privacy enforcement.
The largest enterprises are exposed to the greatest risk from data privacy regulations; correspondingly, they’ve been the only organizations that traditionally needed and invested in data privacy programs. That’s changing.
There are plenty of examples of data privacy regulators going after small- and medium-sized businesses (SMBs)—in fact, GDPR regulators have seen fit to issue fines as small as €28.
Furthermore, the thresholds for a business to be subject to the GDPR, CCPA/CPRA, and similar laws are very low. Under the CCPA/CPRA, for example, any business that works with the personal information of 100,000 California people or households is subject to the law (among other requirements). If your business has any kind of digital presence, it’ll hit that threshold rather quickly.
SMBs are recognizing and responding to this fact. Let’s define SMBs as those businesses earning less than a billion in revenue a year. Under that definition, research by the International Association of Privacy Professionals (IAPP) shows SMBs are investing around half a million dollars into their privacy programs each year—and for the immediate future, that figure is only going to grow.
A 2017 Economist article was the first to popularize the idea that the world’s most valuable resource was not oil, but data. The idea that data was the new oil quickly became a widely shared belief.
Data is valuable, to be sure, but the comparison to oil does away with any nuance and ignores the reality of modern digital businesses. FAANG companies (Facebook, or Meta; Apple; Amazon; Netflix; and Google, or Alphabet) became enormously successful due in part to their dragnet-style data collection practices. Now, they’re the biggest targets of data privacy regulators, and while personal data collection has fueled their growth, it hasn’t come without additional risk and management requirements.
Data isn’t an inherently valuable commodity that needs to be collected at all costs. Businesses are recognizing (with the gentle nudging from data privacy regulators) that the value of data provides diminishing returns; at a certain point, it just becomes a source of excess risk.
Toeing this line through effective, efficient data minimization practices is separates those businesses that effectively turn data into revenue without violating privacy rights from those that are just asking for a data breach or a privacy investigation.
With the number of new and updated legislation in the privacy world, many businesses are wary of diving into building a privacy program head first. Some businesses that operate in the U.S. are waiting until a federal data privacy law hits the books or until they hear of significant enforcement actions in their industry.
Businesses inclined toward waiting general fall into three camps:
Those who are building the foundations for their privacy program, but aren’t committing to larger, more advanced or less impactful initiatives.
Those who are addressing their privacy challenges on a one-off basis
Those who aren’t taking any actions whatsoever.
Out of these groups, only the first is really responding to the uncertainty in the privacy landscape appropriately. It should be noted that some businesses are truly committed to privacy and have secured budget and buy in to build a fleshed-out, holistic data privacy program; that isn’t feasible for everybody. In this case, businesses are best served by investing enough time and energy to establish the foundational, fundamental elements of their privacy programs. That way, they’ll be quick to scale up when the realities of data privacy compliance come to the fore.
What does this look like? Privacy professionals who are tasked with establishing a data privacy program foundation should:
Really, these different trends are all the same trend: Data privacy compliance is becoming more important for modern businesses. Consumers are becoming savvier and better equipped, enforcement authorities are on the prowl, businesses of all sizes are building privacy programs, the risk inherent to data collection has become more obvious, and companies are paying attention to the space. All of this adds up to a level of focus on data privacy that has never been higher.
At the same time, there is also widespread confusion around where to start. There is a lot to compliance, and prioritization is a challenge. For businesses and privacy professionals looking for guidance on what comes next, we recommend checking out Osano’s action plan for data privacy compliance in 2023.
Score and evaluate your privacy program's operational efficiency with the Osano Privacy Program Maturity Model. With this model, you'll pinpoint gaps, identify next steps, and ultimately grow your privacy program's maturity.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.