Preparing for what’s now and what’s next in privacy Privacy is now a C-suite issue: US and EU regulators are imposing eye-popping fines and obligations on companies that do not keep their promises or fail to secure personal data; near-daily data breaches grab headlines and put corporate brands at risk; and sweeping new state and federal legislation require changes to corporate operations. Today, every company is a data company and every organisation must comply with a host of changing data privacy laws. Existing privacy laws The 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) provided for a single set of data protection rules for all companies controlling or processing the data of EU residents, regardless of where the companies are based. The stronger data protection gave people greater rights and control over their personal data. The risk of noncompliance could be severe. Companies found in violation of this new regulation, regardless of their location, could be subject to fines equalling 4 percent of annual turnover or €20m (almost $24m), whichever is higher. The California Consumer Privacy Act (CCPA), which went into effect on 1 January 2020, created new consumer rights relating to the access to, deletion and sharing of personal information of California residents collected by businesses. Even if a company does not operate in the EU or California, its executives must be cognisant of the important federal privacy and data security obligations arising from the authority of the Federal Trade Commission (FTC) to prevent deceptive and unfair practices, set forth at Section 5(a) of the FTC Act. The FTC has been an active privacy and data security enforcer for many years and is ramping up its privacy enforcement even further. The FTC has brought hundreds of privacy- and data securityrelated enforcement actions, covering both on- and offline practices and fast-evolving technologies. Recent, substantial FTC settlements and fines The $5bn Facebook settlement last year to resolve the Cambridge Analytica matter was the largest privacy fine in the FTC’s history and the most significant action to date against any company. The FTC mandated that Facebook must add an independent privacy committee, create a broad privacy programme and engage in internal and external monitoring. The time period for the settlement is 20 years. In 2017, nearly half the American population had their personal information hacked from Equifax’s enormous database in one of the largest publicly disclosed and most serious data breaches. After outrage from consumers and hearings on the breach, Equifax ultimately settled with the FTC, the Consumer Financial Protection Bureau (CFPB), and US states and territories for approximately $575m and created up to $425m for a consumer restitution fund. Equifax has to implement a comprehensive information security programme as well as engage in security auditing and reporting requirements. New federal legislation on the horizon As the collection, use and sharing of personal data grows in amount and complexity, and consumers and businesses are increasingly required to navigate a tangled web of confusing, and often inconsistent, data privacy regulations from various levels of government, there has been a clamour for Congress to enact comprehensive federal privacy legislation that will give consumers more rights, business more uniform obligations and the FTC increased powers. Federal privacy and data security legislation is viewed by many as inevitable and could happen as quickly as this year. And, even if an organisation is not subject to the GDPR or CCPA, additional states are enacting new privacy laws. The new proposed privacy legislation in both houses of Congress has many similarities to the CCPA, including obligations about mapping data and giving consumers rights that cover how companies may use and share customer and employee data. The current Congressional proposals share an approach that will grant individuals the rights to know, correct, delete and get copies of data that companies hold about them. Federal privacy legislation has several goals. One is to provide consumers clarity and visibility into companies’ data collection, use and sharing practices, as well as choices regarding these practices. Another important goal is to provide a national, uniform set of protections and consumer rights throughout the digital economy. Finally, it will strengthen the FTC’s enforcement powers, including the ability to impose large fines on companies that fail to respect the new host of consumer rights. How to plan for what’s now and what’s next How should a company prepare for current privacy obligations and be on top of what is almost inevitable? An organisation should begin this process now, because if it is inadvertently involved in federal or state law privacy violations, the fines and penalties can be significant and regulators will not acceptance ignorance as an excuse. First, know what kinds of data your company collects and holds. You should be aware of who you share the data with (such as service providers), why you are sharing data, what the recipient does with the data, and what you are telling consumers about the data that you have collected. Even if your organisation is not a consumer-facing company and believes that privacy obligations might not apply, you may have personal data from other sources, such as clinical research, and you certainly collect data about your employees, which may also be covered. Second, determine who has access to the data, for what purposes, and under what terms they are granted access. This includes employees and third-party service providers that process data or provide other types of support to your business, such as marketing. Third, determine what you are telling customers, employees and consumers about what data you have and how it is controlled. Requests to acquire, store and use data should be transparent and easily understood. A corporation must describe clearly its reasons for asking for data as well as explain in an easy-to-understand fashion how long the data will be held and how it will be used. Consent protocols must be reviewed and, if necessary, updated at collection points. An organisation’s privacy policies must transparently and openly address the right of consumers to remove or restrict the use of their data. Terms and conditions and privacy policies should be accessible and be reviewed and updated if necessary. Finally, you may have to train employees about how to handle covered data to ensure compliance with new obligations. Conclusion Some say that the US does not have a privacy law – a half-truth that executives believe at their peril. The reality is that all companies already have basic privacy and data security obligations under the FTC Act, many are covered under GDPR and CCPA, and additional privacy laws are inevitable. The good news is that some basic steps to understand your data assets and uses will prepare your company for today’s obligations and for what is coming tomorrow.