According to PwC research, over three-quarters of CEOs felt that data privacy was a focus going into 2020.
Despite a global pandemic and a contentious U.S. election, the topic is just as important this year. What will the rest of 2021 bring?
Bubba Nunnery, ZoomInfo’s Senior Director of Privacy and Public Policy, shares his predictions for privacy this year.
1. Privacy Shield will be replaced or reimagined
One of the more widely recognized privacy developments in 2020 was the invalidation of the E.U./U.S. Privacy Shield due to conflicts between American digital surveillance practices and E.U. privacy law. This left companies without a clear and permanent solution for transatlantic data flows between the E.U. and the U.S.
There is a fair amount of urgency to find a permanent solution. For now, Standard Contractual Clauses have remained intact and can help companies transfer data out of the E.U. responsibly. But mixed messages from E.U. authorities in the fall gave confusing signals to those trying to follow their guidelines.
For example, the European Data Protection Board has suggested companies rely on technical frameworks like encryption while the European Commission has issued guidance that contractual clauses are sufficient, with the caveat that they communicate the risk of government surveillance.
As 2021 is underway, formal negotiations between the U.S. and the E.U. are likely to resume sooner rather than later, paving the way for the Privacy Shield to be replaced or reimagined.
Whether or not a short-term or permanent solution gets employed remains to be seen, but the Biden administration seems to be signaling that it will prioritize these discussions with its early appointment of privacy veteran Christopher Hoff to lead discussions with the European Commission.
2. New privacy issues put pressure on Congress.
In 2020, there were nine federal proposals at various stages of development that were introduced in the federal government and/or discussed, and that still exist in some form or another. Five of them are backed by Democrats, three are from Republicans, and one has bi-partisan representation.
The two major dividing points between Democrats and Republicans have been state preemption and a private right of action. And whereas a middle ground may have been possible in early 2020, the emergence of COVID-19 and a raucous 2020 election cycle quickly deprioritized privacy discussions.
As the 117th Congress now turns its attention back to legislation, the privacy discussion has become more complex and the pressure has grown for the federal government to make progress.
As noted above, a stronger solution for the U.S./E.U. Privacy Shield needs to be identified and expanded to consider the U.S./Swiss Privacy Shield as well as the implications of Brexit.
There are also new privacy issues for Congress to consider, including the eventual Supreme Court opinion on the Federal Trade Commission’s ability under Section 13(b) of the FTC Act to obtain monetary remedies for consumers, facial recognition technology, COVID-19, and the privacy implications of contact tracing.
3. Pressure on Congress will come from the states as well.
Tired of a gridlocked federal government, dozens of states will continue to try and pass their own privacy laws, many using California’s Consumer Privacy Act (CCPA) as a model for their own state.
Getting a comprehensive federal privacy law in place would help avoid businesses needing to navigate a confusing patchwork of state privacy laws, a dynamic that would be exponentially difficult for start-ups and smaller companies.
Furthermore, California Attorney General and incoming Health & Human Services Secretary Xavier Becerra has been a staunch advocate for state privacy laws and appeared at the Senate Commerce Committee meeting last September to make a strong case against federal preemption.
Considering that California has a particularly large house delegation in Congress, making a case to preempt the state law will likely require a federal law being stricter, or else face resistance from California federal lawmakers.
4. Companies will have to play offense and defense.
With no federal law in sight, companies will not only need to advocate for business-friendly policies in congress, such as a federal bill that preempts similar state privacy laws, but they will need to keep watch for troublesome policies at the state level.
Bills such as Oklahoma’s Computer Data Privacy Act that would require that consumers give explicit permission before companies can collect or sell their information would be the first “opt-in” privacy laws in the U.S. and could have an enormous impact on internet-technology companies.
At the time of writing, dozens of privacy bills are on deck or have already been introduced in states.
5. The term “personal information”, as used by state and federal lawmakers, will continue to struggle for a clear definition that accurately delineates sensitive and non-sensitive information.
Information about an individual is absolutely personal.
But a distinction that is all too often missing from legislative language is a clear differentiation between sensitive personal information, like account numbers, passwords and health history, and non-sensitive personal information, like business contact information that B2B companies use every day in their go-to-market efforts.
Business contact information, like that often found on a business card or in a work email signature block, is not sensitive and poses no risk to an individual. What would happen if a stranger found your business card on the ground? They wouldn’t be able to access your accounts. They wouldn’t be able to steal your identity.
The same can’t be said about sensitive information, like your social security number or passwords. The distinction needs to be reflected in privacy legislation.
6. More companies will seek to arm themselves with privacy certifications that exceed the currently required minimum. More companies will also build privacy centers hosted on their websites.
Like a rising tide lifts all boats, one competitor upgrading its privacy standards can raise the standard across its entire industry. A strong privacy program is a competitive advantage and a company gains a significant edge over its competitors by being able to market its superior privacy certifications to customers.
For instance, ZoomInfo offers a self-service privacy center to provide individuals and companies with an easy way to manage their personal information. Following its introduction in privacy notices, usage of the center increased from 39% to 62% over a six-month period.
7. Companies will increasingly appoint data privacy-focused employees to the C-suite.
Many companies already have a named data protection officer within the organization. But, as attention to privacy grows, and with so much at stake if things go awry, including lawsuits filed or expensive fines levied, companies will want senior leadership with extensive experience providing guidance on the topic.