More regulatory enforcement of data privacy laws
GDPR enforcement across Europe continued to hit the headlines in 2021 with a €746,000,000 fine to Amazon from Luxembourg’s National Commission for Data Protection, and a €225,000,000 fine to WhatsApp from the Data Protection Authority of Ireland. This trend of dissuasive penalties is set to continue in 2022.
Countries around the world are becoming increasingly restrictive with regard to the movement and transfer of personal data. 2022 will likely bring more territorial-driven legislation and regulation and less harmonisation around cross-border data transfer standards. We already saw this with the Schrems II judgement which voided the EU-US Privacy Shield. This made many data transfers between Europe and the US technically illegal and caused widespread adoption of Standard Contractual Clauses and other similar safeguards.
There are new data privacy laws to come into force in 2022. In the US, there is the California Privacy Rights Act (CPRA), Virginia and Colorado’s new laws which come into force over the next 18 months, plus a half dozen other US states set to pass privacy legislation. In addition, there are regulatory expectations for 2022 in China, India, Japan and more.
If your company operates internationally, it is vitally important that each of these legislative changes is tracked and impact assessed to ensure that you can evidence compliance and continue data transfers without interrupting your business operations.
Increased scrutiny around ransomware and other cyber attacks
2022 will likely bring with it continued action by governments to address issues related to ransom payments(ransomware) including the role of cryptocurrency and cooperation with law enforcement before making a ransom payment.
We expect to see additional collaboration between governments to coordinate taking down large ransomware gangs and continued tightening of the cyber insurance market.
Businesses should review and test cyber security crisis response plans with a ransomware scenario in order to assess their preparedness and to proactively address weaknesses identified throughout this testing process.
Transparency becoming a key differentiator for consumer perception
Due to the media coverage on data privacy failures, the public is now more aware of privacy laws making it a mainstream discussion topic for the first time in history.
Documentaries and social media campaigners are exposing just how much information is being gathered by phone data, location data, purchases and more. Much of this data is given to advertisers so they can target their ad campaigns more effectively. The result of this, and the massive fines being levied to big tech companies, means there is much less consumer trust when it comes to the collection of personal data.
Transparency is therefore becoming an important market differentiator for consumer perception. A 2020 CISCO Consumer Privacy Survey established that more than 50% of consumers would switch to companies that they felt had better data policies. Businesses that treat data privacy and data ethics seriously are more likely to capture this advantage for attracting new consumers and improving brand reputation.
Under current legislation, users must be informed and given choices about what tracking cookies are placed on their devices. This generally manifests as cookie banners and pop-ups that allow users to accept all, reject all, or manually choose which cookies to allow.
The European Centre for Digital Rights (EDRi) have started to tackle poor cookie handling practices by submitting complaints against random non-compliant websites on the internet. At the end of 2021, the French Data Protection Authority issued fines totalling €210,000,000 to both Google and Facebook for not providing users with an easy way to reject cookies which may just be the tip of the iceberg.
Regulators and the media will also increasingly examine the use of AdTech to track individuals online. Third-party cookies that track what users are doing across websites have already been banned by Firefox and Safari internet browsers, and Google has stated they will stop the use of third-party cookies within their Chrome browser by the end of 2023.
As third-party cookies are phased out, businesses will rely more on:
- First-party data – data being collected directly from consumers through their use of products or through social media profiles
- Zero-party data – where consumers intentionally interact to give companies their data because they perceive value from it in exchange for services or to personalise how a brand treats them
Zero-party data is about having a well-engaged consumer base who are incentivised to share their personal information and are more likely to do so willingly with organisations that build a strong reputation of transparency and trust.
The Data Privacy train is not slowing down and continues to gather speed. Your business can stay ahead by keeping track of changing legislation and proactively taking steps to remain compliant in a clear and auditable manner. Putting data protection and ethics at the heart of your business will capitalise on the competitive advantage available from a brand reputation built around transparency and trust.