We’re excited to share insights gathered at the International Association of Privacy Professionals (IAPP) Global Privacy Summit this April 3-4 in DC. We loved speaking with so many of you at this extremely productive conference where we exchanged ideas and discussed challenges and solutions. In this post, we’ll address legal developments and concepts that might be most relevant to your business and your website compliance efforts, whether you attended GPS or are catching up from afar.
State of the Industry
We’ve often quoted Gartner’s prediction that 75% of the world’s population would be covered by some type of privacy regulation by 2024. Well, we’ve blown that prediction out of the water. According to J. Trevor Hughes, CEO of IAPP, 79% of the current world population is now covered by privacy regulations. And, it’s only April. Compliance with privacy regulations is only getting more complex, even for U.S.-based traffic. We’ll dive into that later.
An interesting concept mentioned by Anu Bradford, the Henry L. Moses Professor of Law and International Organizations at Columbia Law School, was that of separate “Digital Empires” embodied by different countries/regions. The U.S. champions technology, while China is the master of infrastructure, and Europe leads the legislative empire. We’ve seen this play out as governments from these empires attempt to regulate companies from the other countries.
Meanwhile, Europe’s championing of individual privacy seems to be leading the charge of public sentiment. As Kabir Barday, CEO of OneTrust, mentioned, “Privacy has evolved from a regulatory-driven function to a consumer trust imperative.” We think that’s right on the money. The greatest benefit of getting your website privacy compliance right is earning and keeping your customers’ trust. While fines for non-compliance of data privacy laws are a concern for many businesses, their overall financial impact to an organization is often easily dwarfed by the brand impact that a business can suffer when they find themselves in the headlines for the wrong reasons.
A Surprise U.S. Federal Regulation Announcement
American attempts to reach a consensus on federal privacy legislation have failed before, but a new draft of a bipartisan, bicameral federal privacy bill was just released earlier this month. The American Privacy Rights Act attempts to address concerns from states like California with stricter privacy regulations and proposes to pre-empt state laws. There remains the question of how states on the other side of the spectrum, such as those who have considered enacting a privacy law and then rejected the notion, would respond to the bill. For more details about the American Privacy Rights Act, you can read the press release from the committee chairs or follow IAPP’s analysis.
Speaking of California
Back in January, the California Privacy Protection Agency (CPPA) ended its 30-day cure period, which previously provided businesses a month to cure any violations before being fined. The California Attorney General Rob Bonta said, “the kid gloves are coming off, my office will not hesitate to protect consumers,” about the end of the right to cure. During the Global Privacy Summit, the CCPA released its first enforcement advisory, encouraging voluntary compliance with a foundational principle of the CCPA, data minimization. This relates to when consumers make a request to a business, and the business asks for excessive personal information in response. The CCPA considers these advisories as educational guidelines to help businesses understand how to comply. But, vigorous enforcement of the laws is a priority as they are getting ready to hire a chief auditor and investigators reporting to that position, according to California Privacy Protection Agency executive director, Ashkan Soltani.
ObservePoint Audits & Observations
Until a federal privacy law becomes reality, we are still dealing with an ever-increasing patchwork of state privacy regulations in the United States, not to mention all the other country- and region-specific privacy laws throughout the rest of the world. Setting up your website in compliance with the strictest jurisdiction in which you do business is a recommended first step, but global enterprises often have much more complicated requirements with their multiple lines of business.
Our conversations at the booth at IAPP seemed to indicate that most enterprise-level legal professionals have moved beyond awareness and into prioritizing privacy compliance for their organizations’ websites, a marked change from last year when website privacy compliance was much lower on their list of concerns. That was really encouraging to witness, but of course, we had to check on the data.
When we audited our existing customers, we found that 55% now have a consent management or privacy platform on their site, up from 35% last year. Great work, guys! Here are the most popular CMPs from our Audit:
- 37% OneTrust
- 6% TrustArc
- 12% Mix of other brands
But, there’s still 45% of businesses without a CMP or similar tool to assist in receiving and administering user consent preferences. If you don’t yet have one at your organization, let’s work on closing that gap, and then give us a call to make sure your implementation is sound and that consent preferences are being honored.
To see the most advanced and in-depth scanning technology for your company’s websites in action, get in on a Free Trial now.