In 2022, amidst an ongoing pandemic and advancing technology, the need for stricter data privacy regulations and laws is clearly, and increasingly, evident. The EU’s General Data Protection Regulation (GDPR) is rising to the top as a worldwide standard for data privacy. While the U.S. Government has not yet enacted federal data privacy regulations, more states are proactively putting new privacy laws in place.
With such a dramatic and rapid evolution of the data privacy landscape, it can be challenging to remain at the forefront of these regulations and laws. Nearly 25% of companies are unsure which data privacy laws apply to them and 62% of companies state they aren’t fully compliant with regulations like GDPR and CCPA. Though data privacy laws are crucial, it’s clear that many companies find it difficult to understand these laws or know the steps they must take to remain compliant.
In light of #DataPrivacyWeek this January 24-28, this blog post aims to educate our readers on the importance of data privacy and what it means for companies and consumers. We’ve provided a detailed overview of data privacy trends to watch for, new and updated privacy laws you should know about, and how FormAssembly helps organizations collect data in a secure, ethical manner.
Data privacy in review and looking ahead
The COVID-19 pandemic rapidly shifted many people toward a reliance on digital platforms and services. This sparked more conversations about consumer data privacy and though no federal laws were established in the United States in 2021, over half of U.S. states introduced data privacy regulations of their own.
Another notable privacy-first push is Google’s decision to depreciate third-party cookies, potentially by the end of 2022. This is a considerable step toward respecting consumer privacy and being more transparent about how consumer data is collected and used. Though many laws have yet to be enacted—on the state, federal, and national level—the flurry of activity last year is evidence that data privacy regulations are critical and trending toward significant changes in the next several years.
Data privacy trends to watch in 2022
As technology continues to advance and cybersecurity threats remain prevalent, it’s critical to know and understand the data privacy trends of this year and the future of privacy for organizations.
Growing regulations amidst remote work
The significant increase in a remote workforce has left many companies scrambling to assess and update their policies on data privacy. Companies not only need to address security issues with employees working at home, but issues that arise when employees choose to work elsewhere, such as coffee shops or coworking spaces. In many work-from-home settings, 67% of employees are also using personal devices, including mobile phones and laptops, for work-related tasks, which only adds to the challenge.
Organizations that provide hybrid or remote work flexibility must take extra precautions to keep everyone secure. While the potential exposure of sensitive company data is higher because of remote work, there also remains the additional challenge of ensuring employee data privacy across devices as well. This year and beyond, organizations will need to implement more robust data privacy and security policies specifically related to their remote workforce. The standard enforcement of updates or multi-factor authentication may also need to be reevaluated in light of personal device use and employee data privacy.
Greater transparency of data privacy
Due to increasingly large-scale data breaches—such as with Facebook and LinkedIn last year—the public is now more aware than ever before about the privacy (or lack) of their personal data. Consumers are now more cautious about the information they share. However, while nearly 75% worry more about data privacy, a whopping 67% of Americans are unaware of data privacy regulations.
To regain customer trust, organizations must prioritize transparency of data privacy and also leverage governance, risk, and compliance (GRC) software. This also means companies must demonstrate that they are actively working to protect personal data of customers. Additionally, companies must be transparent about why and how they plan to use customer data while giving customers the option to limit what data they wish to reveal. On the other hand, companies should only be collecting the data they need, and nothing more.
Increase in state-wide consumer privacy laws
While federal data privacy laws are still absent, the push to enact consumer privacy regulations on the state level will continue throughout 2022. Following Colorado, Virginia, and California, at least fifteen additional states are looking to consider (or continue considering) data privacy legislation this year, including Arizona, Connecticut, Florida, Mississippi, Minnesota, Washington, Maryland, Alaska, Massachusetts, New York, North Carolina, Ohio, Oklahoma, South Carolina, and Vermont.
These data privacy regulations would require organizations to create and maintain comprehensive data privacy programs, with an expectation to update them regularly. The programs provide transparency for how an organization collects, stores, processes, and shares personal consumer data, and also obtains consent before the organization leverages that data. Along with improving data governance, the hope is that these programs will also set a new standard for consumer privacy.
More third-party risk management programs
The new era of remote work amidst the global pandemic has been met with an increase in cyber threats for organizations worldwide. This is especially apparent in threats coming from third-party vendors (i.e. stock suppliers or contractors), which over 80% of organizations don’t identify until after onboarding is complete. Failure to understand or acknowledge these risks can lead to everything from supply chain attacks to data privacy leaks.
Though Vendor Relationship Management (VRM) regulations are emerging, organizations must take action to instill their own third-party risk management programs. These risk management practices provide a standardized way for organizations to assess if a potential new vendor comes with any operational, compliance, financial, or cybersecurity risks. Third-party risk management not only helps safeguard company data, but also the personal data of consumers using their products or services.
Push for data privacy education and training
Data privacy and security is an evolving topic, and so are customer expectations. Without the right knowledge about data privacy regulations or a company’s policies, it can be difficult for consumers to maintain any level of trust with an organization. On average, 40% of customers don’t believe that organizations follow their own data privacy policies. However, 76% of organizations saw an increase in customer trust after providing more education about their data collection and management processes.
One of the best ways companies can help build trust with their customers is through data privacy education and training. This includes education about their data privacy policies as well as being open about what happens after a customer’s data is collected. Part of this training also means that organizations should disclose that customers do have a right to how much personal data they share.
Understanding new data privacy regulations
Globally, data privacy regulations and laws continue to evolve. The EU recently updated the GDPR to include new Standard Contractual Clauses (SCC) that require transfer agreements prior to personal data transfers between the EU and other countries. Other notable state-wide data privacy legislation enacted or amended within the past year include:
- Arkansas (AR H.B. 1514) – Prohibits data companies from using data for profit without authorization from the entity.
- Florida (FL H 833) – Prohibits analysis and disclosure of DNA results without consent.
- Montana (MT H.B. 602) – Prohibits search of a consumer DNA database without a warrant.
- Nevada (N9V S.B. 260) – Prohibits data brokers from using certain personal information to make a sale.
- Oklahoma (HB 1602) – Prohibits organizations use of personal data online with a customer opting in.
- Oregon (OR H.B. 3284) – Prohibits organizations from collecting or disclosing health data without consent.
- South Dakota (SD S.B. 178) – Prohibits insurance companies from leveraging personal genetic data.
In addition, more nations also released new privacy laws (or they took effect) last year, including:
- China (Personal Information Protection Law) – Protects the personal data of individuals in China by requiring consent of individuals for data that is processed inside and outside the country, including cross-border transfers of data.
- Brazil (General Data Protection Law) – Protects personal data by requiring all organizations that provide services or are operational in Brazil to comply with rules regarding how data is collected, processed, stored, and shared.
- South Africa (Protection of Personal Information Act) – Protects individual’s data from organizations that collect data within the country by enforcing company transparency on how they’re protecting, storing, and processing data.
Upcoming data privacy laws and amendments
Three notable consumer privacy regulations for California and Virginia were enacted or amended last year and will go into effect in 2023.
California Privacy Rights Act (CPRA)
The CPRA amends the 2018 California Consumer Privacy Act (CCPA) to include three additional changes to strengthen an individual’s right to decline a company selling their information, whether collected online or offline. To prepare, businesses must disclose to individuals the “Right to Know” about what data is collected and how it will be used, with the option to let consumers opt-out, as well as update compliance plans. Effective January 2, 2023.
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA gives consumers the right to decline an organization using or selling their information for marketing or profiling. It also requires company transparency on data usage, the ability of customers to request a free copy of their data, and the right of consumers to request the deletion of data. Businesses will need to update existing data privacy policies to provide an “opt-out” option for consumers and receive consent before sensitive data can be processed. Effective January 1, 2023.
Colorado Privacy Act (CPA)
The CPA gives customers the right to access, correct, delete, obtain their personal data, with the option to opt-out of having their data used for advertising. Businesses must be transparent on how data is collected and used. Effective July 1, 2023.
Trust FormAssembly for secure, compliant data collection
FormAssembly’s mission is to help organizations become better stewards of the data they collect by providing a secure, compliant data collection platform as well as offering education and resources on data privacy and security. Our company’s high security standards as well as compliance with national and international privacy laws, such as HIPAA and GDPR, ensure that the data our customers collect remains safe and secure. By leveraging FormAssembly, organizations can not only streamline and automate their data collection processes but remain compliant and secure amidst changing data privacy regulations. To learn more about how FormAssembly can help you collect data the secure, compliant way, read through our guide!