The State of Privacy: How Did We Get Here?
July 13, 2022
Looking back even just five years ago, the privacy landscape looked nothing like it does today – there was no General Data Protection Regulation (GDPR), no California Consumer Privacy Act (CCPA), the demands on businesses were much different.
In the first episode of Privacy Abbreviated, hosts Catherine Dawson and Dona Fraser are joined by Daniel Solove, law professor at George Washington University and founder of TeachPrivacy, to explain how we got to the landscape we see today and talk about what this means for businesses. They offer insight into the key differences between U.S. and E.U. privacy standards, what legislation is on the horizon, and how to build a strong privacy program that sets businesses up to comply with changes as they come.
_________________________________________
Related Resources
The Next Phase of Privacy Shield
_________________________________________
Show Notes
The Accountability Studios formally presents BBB National Programs’ and Osano’s new podcast, Privacy Abbreviated—helping business leaders manage and prepare for the future of privacy. In its first episode, hosts Dona Fraser, Senior Vice President of Privacy Initiatives at BBB National Program, and Catherine Dawson, General Counsel, and Chief Privacy Officer of Osano, introduce themselves and set the stage for their new listeners.
For this episode, they’re joined by distinguished guest Daniel Solove, Law Professor at George Washington University and Founder of TeachPrivacy, a company that provides privacy and data security training to businesses, healthcare institutions, universities, and other organizations.
Before diving into conversations with Dan, Dona and Catherine address the top privacy news of the hour. Released in early June by key Congressional leaders, the American Data Privacy and Protection Act calls for the creation of national standards that provide consumers with foundational data privacy rights. Catherine says that this bill may be a step in the right direction, progressing towards a comprehensive federal privacy law. Dona agrees with Catherine’s sentiments and adds:
“What’s fascinating to me is that it [the American Data Privacy and Protection Act] does provide a roadmap for a lot of issues that we know are being thought about. So even if this draft doesn’t go through, it’s clear that this congress is thinking about issues surrounding algorithms, surrounding targeted advertising, surrounding not just data collection, but really what is now sensitive data.”
Another noteworthy development in the privacy landscape is the anticipated first draft of the California Privacy Rights Act (CPRA) regulations. Regarding this news, Dona reminds listeners to keep in mind that “where California goes, the country goes.” Both hosts agree that California’s progression coupled with the American Data Privacy and Protection Act creates numerous levels of complexity for businesses, especially multinational companies already struggling with how best to comply with current privacy laws.
After catching up on the present world of privacy, Dona and Catherine lead us through the privacy landscape by asking Dan to help listeners understand the US versus the EU perspective on data privacy. Dan describes the US approach as more complicated and complex than its EU counterpart. There are various entities involved, from state legislation to federal agency regulation. “But generally speaking, the US relies on a notice and choice approach. You can use data however you want, as long as people don’t object to it or it doesn’t cause some serious harm,” Dan explains.
Regarding the EU, the law states and spells out valid uses of data. Under GDPR, there are six allowable uses, and “if you don’t have one of those uses, you can’t use the data, even if it doesn’t cause any harm in that use,” Dan warns.
However, there is a shift taking place in the US. Catherine mentions that the concept of data minimization is consuming state and privacy laws coming in 2023.
On this subject, Dan mentions that most of the present US privacy laws have leaned towards data minimization principles. “The tricky thing with data minimization is … how do you do it on the side of the policymaker? We ask companies to please be data minimalists, but how do you enforce it? We really haven’t seen ways to give rigor to this principle yet from enforcers,” Dan questions. Keeping to enforcement, Dona asks Dan to help companies understand how to navigate multiple state privacy laws while thinking ahead about a potential federal law? The rule of thumb Dan provides listeners is to “follow the strictest standard.” He mentions that California Consumer Privacy Act, the CCPA, is the standard. There are various other state laws, but all are weaker versions of CCPA. “So, if you’re complying with California, you’ll likely be pretty good with the other laws.”
Dan’s expertise in training via Tech Privacy made for an appropriate segue into the topic. He shares the top three pain points businesses face regarding data privacy compliance.
The number of laws globally and various complexity levels related to each must be understood and managed. Dan notes an estimated 150 countries have comprehensive privacy laws. There’s GDPR, varying state laws, and federal laws targeting specific areas, such as health data for HIPAA, FERPA, CAPA, etcetera.
Universal data security best practices contrast the varying privacy laws businesses must know and follow. “Data security could be a one size fits all, or vary with different organizations based on their risk, but it’s not going to vary like privacy law, which is a challenge,” Dan clarifies.
Developing a training message that businesses care about. “The point of training is to create a culture of privacy in an organization to make people understand why they should care … because it depends on the cooperation of everyone in the workforce,” Dan reminds listeners.
After delving into each pain point, Dan leaves listeners with one final word, “I think industry and policymakers are often focused on the short term, but if we really want to get a handle on this, we need to start thinking more long term and create laws that are going to stand the test of time. Until the consumers feel that they are protected, we’re not going to see an end to the law.”
Subscribe to the Ad Law Insights or Privacy Initiatives newsletters for an exclusive monthly analysis and insider perspectives on the latest trends and case decisions in advertising law and data privacy.
Latest Decisions
National Advertising Division Recommends Blueprint Test Preparation Discontinue Certain MCAT Score Improvement Claims
New York, NY – April 22, 2024 – The National Advertising Division recommended Blueprint Test Preparation discontinue certain express and implied claims made in connection with its four MCAT preparation courses, including claims that Blueprint students raise their MCAT scores by 15 or 13 points on average.
National Advertising Division Recommends The Princeton Review Discontinue Point Increase Claims for MCAT Test Preparation Services
New York, NY – April 18, 2024 – In a Fast-Track SWIFT challenge, the National Advertising Division recommended that The Princeton Review (TPR) discontinue claims that its students “Score a 515+ on the MCAT or add 15 points depending on your starting score. Guaranteed or your money back.”
Direct Selling Self-Regulatory Council Recommends Trades of Hope Discontinue Salesforce Member Earnings Claims
McLean, VA – April 17, 2024 – The Direct Selling Self-Regulatory Council (DSSRC) recommended that Trades of Hope discontinue certain earnings claims made by salesforce members on Facebook and YouTube.
National Advertising Division Recommends Lily of the Desert Nutraceuticals Discontinue “100% Pure Avocado Oil” Claim for Tropical Plantation Avocado Oil
New York, NY – April 15, 2024 – The National Advertising Division recommended that Lily of the Desert Nutraceuticals discontinue the claim “100% Pure Avocado Oil” for its Tropical Plantation Avocado Oil and avoid conveying the unsupported message that the product is 100% pure avocado...