A Changing Privacy Landscape
Over the past decade, we have swiftly entered a world where data is seemingly omnipresent in almost every area of life. With so much data created and stored, brought to the fore, are a myriad of privacy concerns. In response, we see the implementation at a rapid pace of laws and regulatory frameworks on the national and international levels. As a result, a new formation of the privacy landscape is occurring, and organizations need to stay ahead of the curve.
Ever since the internet and computing went mainstream, the world has been on a drastic and progressively changing trajectory. In many ways, these changes have brought immense benefits to the world. From an increase in the pace of innovation to the ease with which we can now communicate, our new technology-based world has brought increased convenience, better health, and improved safety to billions across the planet. Finding a person in today’s day and age who has not benefited in some manner from advancements in technology would be challenging. Yet, at the same time, there are ways in which the internet and advances in technology, in general, have brought numerous pressing and novel challenges to our societies.
One of the significant issues brought about by technology, particularly the new data-based frameworks of the internet, is the problematic nature of protecting individual privacy.
In this discussion, we perform an overview of how old and new regulatory frameworks impact the current data-centric advertising ecosystem. However, it is essential to be aware that this is merely a summary of some of the most notable developments from a legal perspective. There are nuances unique to every organization, and frequently, there are critical additional laws relevant beyond those in this discussion’s scope. Besides, interpretation of the law is ongoing for many of the legal frameworks we discuss here, such as the European Union’s General Data Protection Regulation (GDPR). Therefore, applying these laws to specific scenarios is highly dynamic and detail dependent. Therefore, seeking specific legal counsel tailored to your particular circumstance is crucial.
The Machine Lives On A Data Diet
As we continually move toward a data-focused ecosystem, individuals are encouraged, if not mandated, to provide a wealth of information about themselves every day—entities collecting this data range across the spectrum. For example, governments require a whole host of personal information from their citizenry to provide a variety of social services and fulfill their national security obligations.
Beyond governments, though, our daily use of various products and services often also requires varying sorts of personal information as a condition of use. The most obvious of these private entities demanding such data are internet giants such as Google and Facebook. In reality, though, we also supply our information to much smaller and less well-known entities. For example, in our data-centric world, even a brief visit to a local healthcare provider or retailer usually entails surrendering some detail of one’s identity.
The rationale for why organizations of all types and sizes request that individuals disclose their personal information is simple.
Data is, in many ways, the new oil.
For practically all sectors, whether the government, a business, or a non-profit, possessing relevant data means that accomplishing organizational goals more effectively and efficiently is more likely. More data has become the fuel for higher profits, better user engagement, and more secure societies.
Put briefly, the machine runs on a diet of data, and the more you feed it, the more it wants.
Where Data Goes, Danger Follows
Because of the inherent value to the entity holding it, data is often stored for indefinite periods. With all of this data retained and its potential value for a variety of threat actors, there is ample motivation for others to gain access to such stored information. This dynamic is, in large part, why there have been data breaches at a rapidly increasing frequency over the past two decades. After all, more data is being stored, and the use cases for such data among pernicious actors have also been rising.
The general rule is as follows: Where data goes, danger follows.
Whether risk and danger translate into actual damage relies mainly on the state of an organization’s systems in terms of security and their overall risk profile. The reality is that most organizations are just waking up to the threat-filled landscape now. It has significantly damaged both entities and consumers for these new and emerging threats to come into focus fully and to be viewed with adequate seriousness by the C-Suite.
Lawmakers Feel The Pressure To Act
With breach after data breach occurring and consumer displeasure becoming progressively more pronounced, lawmakers have been increasingly focusing on regulating the storage and use of personal information.
There is a general feeling among regulators across the globe that organizations are simply not taking system integrity and users’ privacy seriously enough.
Regardless of whether this sentiment is fair or not, as a result of this feeling by lawmakers, we see wave after wave of all-encompassing privacy and data protection laws proposed and, at times, enacted on the international, national, and state levels. These new legal frameworks are wide-ranging regarding the areas and entities they regulate and pack a severe punch in imposing penalties for violations. In addition to establishing new laws, we see expanded and more rigorous enforcement of existing laws.
Historical Background Of Privacy Laws
The origins of privacy laws are complex and varied.
Depending on whether we are discussing the roots as they relate to the United States versus perhaps Europe, the history and basic premises of the laws change.
Much of the basis for privacy law in America comes from the 4th Amendment.
Though the 4th Amendment restricts government action, it lays the foundation for the notion that individual privacy and liberty are intertwined.
The 4th Amendment states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. 1
For states in the European Union (EU), the Universal Declaration of Human Rights (UDHR) set the tone for privacy legislation.
The UDHR’s proclamation on December 10, 1948, states as follows:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” (Article 12)
GDPR, the new omnibus data protection framework enacted by the EU, stems from the underlying theme of privacy laid out by the UDHR.
A Sea Change In Privacy Laws
The proliferation of data collection and ubiquitous use generated a focus and, at times, even a backlash from citizens and lawmakers. This new dynamic has set the stage for a sea change in the legal landscape relating to privacy. GDPR and other regulatory frameworks, such as the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), are some of the most expansive of these new laws.
HIPAA More Relevant Than Ever
The Health Insurance Portability and Accountability Act (HIPAA) is one of the older data-focused regulatory frameworks. Though centered on a particular mandate, the privacy of health-related information, it is more relevant in today’s data-centric world than ever before.
Privacy Law 2023 “State of Play”
As of 2023, privacy law remains incredibly dynamic, with several states in the United States passing comprehensive privacy laws, with the result being a patchwork regulatory landscape. Currently, the states with comprehensive privacy laws in effect or that will go into effect this year are California, Utah, Connecticut, Colorado, and Virginia. On the international stage, the EU’s GDPR continues to mature, the UK is contemplating changes to its version of the GDPR post-Brexit, and practically every jurisdiction across the globe has passed or is in the process of passing some form of privacy laws.