Not so long ago, when faced with Data Privacy Day, most American organizations could safely turn the other way. US privacy laws, after all, were sectoral. While healthcare organizations had to worry about HIPAA, schools and colleges about FERPA, and financial institutions about Gramm-Leach-Bliley, most other businesses could feel reasonably secure in doing whatever they wished with the personal information they collected about their customers, users, and anybody else.
If those businesses operated overseas, they had probably learned that Europe had stricter—and more comprehensive—privacy laws. A few other places did, too, for example, Japan and Australia. Even so, businesses could sell their products and services into most international markets without being too concerned about data privacy.
American businesses were not under pressure from their customers either. Consumers were still only vaguely aware of the extent of personal information they routinely shared in the digital economy and how businesses used their data. These were the days before we realized that we are not Google’s (or Facebook’s, or that cool free app’s) customers, but their product. Back then, too, personal information-based crimes, like identity theft, seemed for the unlucky few.
This year, Data Privacy Day is on January 28th. Can American organizations still safely turn the other way? To answer that question, let’s first examine how the consumer has changed.
Consumers are as in love with the internet as ever, especially with the stuff we pay for with our data and not our hard-earned cash. What has changed is consumers’ willingness to share personal information with no questions asked. Driven by the growing awareness that real harms (and lesser annoyances) can arise from personal information getting into unexpected hands, consumers want businesses to level with them and cede them reasonable control. If they are going to tell companies all about themselves, they want to trust them. There is evidence that this attitude shift is particularly strong among millennials and Generation Z—and that their trust, once lost, is hard to recover.
State and national governments have responded to and reinforced this shift in consumer attitude with a wave of privacy legislation. American businesses and schools that seek customers/students in Europe now fall within the extraterritorial reach of the General Data Protection Regulation (GDPR). Likewise, other big international markets have begun to adopt the GDPR template—China and Brazil already, with Canada heading in the same direction. In the US, California voters put first the California Consumer Privacy Act and then the strengthened California Privacy Rights Act into effect. Virginia and—effective July 1st—Colorado and Connecticut have followed suit. Other US state laws are in the pipeline. To be required to meet the obligations of these laws, it may be enough that your business sells to consumers in the state in question. You do not need to be physically or legally present in the state.
So, can your organization safely turn away from Data Privacy Day, 2023? There are a series of questions to answer:
- Do you have an inventory of the personal information that you collect and use (or a “map” of storage points and flows)?
- Do you know with certainty which laws and regulations cover your collection and use of personal information?
- Even if a thorough review determines that no laws and regulations cover what you do with personal information, are you comfortable and prepared to address questions regarding privacy practices from your customers, users, and partners?
If you cannot answer “yes” to these questions, it may be time to observe Data Privacy Day by arranging for an assessment of the privacy risk that your organization is carrying.
Be sure to follow us on LinkedIn for the latest news and industry insights, and subscribe to our newsletter to get helpful tips like this delivered to your inbox.