By Joe Humm and Cliff Love
Last month we had the opportunity to attend TrustWeek 2020, a virtual OneTrust user conference. This summit substantiated much of what we are learning directly through our client work and brought to light a number of other important trends and concerns pertaining to data privacy.
The US is evolving toward an environment with data privacy laws on par with the EU’s 2018 General Data Protection Regulation (GDPR). On November 3, 2020, California passed the California Privacy Rights Act (CPRA). This legislation – essentially California Consumer Privacy Act (CCPA) 2.0 – closes many of the gaps between CCPA and GDPR. Key provisions include: creating an office outside the Attorney General to enforce the data privacy laws; tripling the fines for privacy law violations for people under the age of 16 years old; creating a new classification of data privacy called Sensitive Private Information; and many other features designed to give consumers more control over their privacy.
The passing of CPRA, coupled with Gartner’s placement of Data Privacy on their Slope of Enlightenment (i.e., a well-developed concept beyond ideation and band-wagon jumping) indicates a broader awareness among Americans of just how important data privacy is to their well-being, online safety, and ability to operate anonymously where they so choose.
The awakening of the American collective consciousness is catching the attention of American businesses. As such, they are investing an estimated $2M/firm to comply with privacy regulations, or $55B in aggregate. Furthermore, it is estimated that 500,000 firms are affected by CCPA/CPRA today. Consumers, businesses, and the world-at-large understand data privacy is not an issue that will be going away any time soon. 2020 is just laying the groundwork for a broader shift towards consumers being in control of their information.
Data privacy management is a team-sport within most businesses. Responsibilities live in varying degrees across the offices of the Chief Data Officer (CDO), Chief Privacy Officer (CPO), Chief Information Security Officer (CISO), and Chief Risk Officer (CRO).
These executives must balance privacy needs against competing priorities, such as security, risk, and data management. In addition, they must consider how to manage legislative extension (see CPRA), new legislation (25 states with looming privacy legislation), consumer-facing interactions (e.g., cookies, opt-outs, access/delete requests, whistle-blowing events, incidents) and interoperability with other initiatives such as connecting data privacy data management with broader data governance goals.
All told, this creates a complex operating environment. A great deal of forethought and deliberate actions are needed to keep people, assets, and ultimately an organization aligned on how it will deal with the concept of privacy on a day-to-day basis.
Managed properly, data privacy can bolster your organization’s value proposition. As presented by OneTrust’s CEO, gone are the days when you could differentiate on the basis of value delivered in proportion to price, or quality as a key pillar of your brand promise, or product availability. Those are all simply table stakes in a modern world. Today’s brand differentiators include:
Businesses that tune into these concepts will be well-served. The collective consciousness of the American consumer will accept nothing less in terms of business conduct and brand representations to the market.
Joe Humm is a director in RevGen’s analytics and insights practice. He has spent the past year assisting a multi-billion dollar services company prepare for the implications of CCPA.
Cliff Love is a client services director at RevGen. He is a certified OneTrust Privacy Management Professional.