There’s never a dull moment in the privacy field. The challenges faced by privacy professionals are dynamic and unique to this point in time. They’ll also continue increasing in complexity as the regulatory landscape expands its reach and influence worldwide.
Three trends summarize the most significant drivers of change in privacy and data governance today:
From new laws and changing frameworks – to updated standards and guidance, privacy professionals face the immense challenge of keeping pace with rapid structural change. Rather than reverting to reactive patterns, teams can seize opportunities to operate proactively. There are plenty of well-documented best practices that support this approach.
As novel technology and data usage methods continue emerging, business teams sometimes view compliance as a blocker for innovation. But a solid strategy supports both. Embedding privacy by design will enable teams to remain on the cutting edge of business performance while adhering to regulations.
Investors, customers, employees, and other critical stakeholders are paying close attention to business practices, ethics, and governance. As a result, transparency and consent carry significant weight when it comes to the bottom line. The opportunity to capture consumer trust will be a strategic differentiator in the years to come.
Based on these trends, it’s clear privacy is evolving beyond regulatory compliance and into a new era of integrated data governance and trusted data use.
Additionally, privacy is receiving a more significant share of visibility in the boardroom and among external stakeholders. This opens the door for privacy teams to tell a compelling story: one of integrating privacy efforts more profoundly across the organization to accomplish mutually beneficial objectives.
OneTrust’s team of regulatory experts closely monitors the global privacy landscape to interpret what current trends and upcoming milestones mean for maturing privacy programs. The following guide includes a summary of major global regulatory updates and how your organization should prepare.
Five significant events are coming up in 2023 that you should be planning for:
1. CPRA and other major US-based legislation coming into effect
The CPRA will enter into effect on January 1, 2023. As you prepare to strengthen your existing California Consumer Privacy Act (CCPA) compliance program to account for the stricter amendments within the CPRA, keep in mind employers now have additional obligations to employees. These include the right to rectification, portability, and the right to limit the use and disclosure of sensitive personal information.
In 2021, Virginia’s Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA) became law. Each will require qualifying organizations to provide a universal opt-out process. Technical guidance from the Commonwealth of Virginia and the State of Colorado is forthcoming in 2023. Utah and Connecticut have now followed closely behind with their own comprehensive data laws.
In the meantime, organizations subject to the CDPA and/or CPA that don’t already provide a universal opt-out system will need to plan to implement one. Typically, that involves structural-level assessments of the data you collect and process. This will require gaining stricter oversight over how and where you store personal data.
2. New privacy regulations in China
China’s Personal Information Protection Law (PIPL) took effect in November 2021, and it’s initiating a ripple effect across global industries.
In some respects, it closely aligns with the General Data Protection Regulation (GDPR) and other global privacy legislation. For example, the data subject has a right to access, right to withdrawal, and right to deletion.
But in other cases, it vastly differs. The Cyberspace Administration of China (CAC) will oversee PIPL compliance. As a state-based agency, this departs from the global norm of independently-operated agencies empowered to exercise compliance oversight.
Another significant impact of the PIPL is the requirement for organizations to store the data collected from Chinese subjects within China. Processing this data outside of China will also require review and approval by national security agents.
It’s not clear what the precise terms of applicability are yet. But it’s reasonable to assume many mid-to-large-sized entities will need to comply with PIPL.
Additionally, as other neighboring countries draft their own privacy laws, there’s a chance PIPL may carry significant influence over the future of regulation in parts of Asia. It will be critical to remain informed as the CAC issues updated PIPL guidance and understand its influence on other emerging legislation.
3. Transitioning away from third-party cookies
By the end of 2023, third-party cookies will no longer be available. While this represents a significant departure from today’s practices in targeted advertising and personalization, it also opens up new opportunities for businesses and marketers.
Pursuing first-party data enables you to transition away from third-party cookies, but the required ramp-up time has to start now. Since you’ll be asking for users to provide their data to you directly, you must provide compelling offers in exchange.
A strong first-party data strategy begins with establishing trust – and yields higher quality data as a result.
4. Stricter requirements for cross-border data transfers
In July 2020, the Schrems II decision shed new light on how businesses conduct cross-border data transfers.
The Court of Justice of the European Union (CJEU) identified the EU-US Privacy Shield Framework to be inadequate. The problem lay with other countries’ laws and whether they might override the law from the data’s country of origin.
In this instance, the case referred to data transfers between the EU and the US, but the implications are global.
The European Data Protection Board (EDPB) issued final guidance that clarifies next steps. Many organizations will have to reassess their processes for handling international data transfers. Based on this new guidance, those in doubt should conduct Transfer Impact Assessments (TIAs) to ensure they’re on the most up-to-date path to compliance by early 2023.
5. New directives coming out of the EU
The EU Data Governance Act (DGA) will facilitate data access and sharing with the public sector to benefit the public good. This will add yet another layer of complexity as organizations seek to understand their data and what it takes to facilitate compliant data transfers.
Additionally, the EU Data Act will enable greater transparency to data subjects by providing easy access to device-generated data. Additionally, the act provides the public sector with greater access to useful private sector data, particularly in cases of natural disasters or emergencies.
Finally, the EU Artificial Intelligence (AI) Act is currently in the proposal stage. This legislation would categorize AI applications by three risk categories:
Manufacturers of connected products, such as Smart TVs, wearables, and AI voice assistants, will have to take note of the forthcoming requirements they’ll be responsible for in terms of device data collection and processing.
The final stages of the DGA and the EU Data Act are still underway. In the meantime, organizations can still take steps to prepare.
These new directives point to the rising importance of maintaining a single source of truth for data cataloging and data mapping. Orienting your business towards this strategic direction will pay dividends once these new obligations enter full force.
These trends and milestones clarify that today’s maturing privacy programs can evolve beyond compliance and risk management to build trusted customer relationships worldwide.
With this vision, privacy professionals should be striving to develop a scaled, future-proofed strategy that: