Privacy Regulatory Trends: The Personal Information Explosion

The California Online Privacy Protection Act of 2003 (CalOPPA), effective in 2004, was the first privacy law in the United States to require commercial websites and online services to post a privacy policy. Its definition of personal information (PI) included data that had been used to identify individuals for decades: name, address, email address, telephone number, and Social Security number. But two other provisions in that law revealed a Pandora’s box that has exploded in ways no one would have anticipated:

• Any other identifier that permits the physical or online contacting of a specific individual
• Information concerning a user that the website collects online from the user and maintains in personally identifiable form in combination with any of the above

Think of the technologies that now fall within those two categories. IoT devices such as smart cars, smart appliances, medical monitors, and personal digital assistants can now be hacked to track and contact individuals. How many companies provide services and have customer information tied to smart devices?

With the explosion of social media, online learning, dating apps, etc., think of all the types of personal information that websites gather online. Even with encryption and de-identification, the low cost of computing and the power of today’s AI increases the risk of all kinds of data being traced back to an individual.

To increase personal protection, subsequent laws in the U.S. and around the world have expanded definitions of personal information. For example, GDPR mentions information on a person’s “genetic, mental, economic, cultural, or social identity.” California’s CCPA includes information about online activity, geolocation data, plus visual, thermal, and olfactory information. Other additions to the U.S. and global definitions included more biometric data and unique keys used to sign or authenticate electronic records.

The more data that’s protected under privacy regulations, the greater the likelihood of reportable incidents. How can privacy teams and their organizations streamline incident response to stay in compliance?

A Proactive Approach to Compliance

Definitions of personal information are likely to expand as consumers manage even more of their lives online. And as businesses gather and use more personal and sensitive information, privacy teams will have to be proactive in helping their organizations manage compliance risks:

• Partnering with business functions: As businesses find more ways to gather and leverage customer information, privacy teams need to be involved in planning new products and data initiatives, helping ensure that personal and sensitive information is identified and information systems are architected to protect it from the start. It may even be possible to find alternatives to collecting personal information, as one franchise business has successfully done with its advertising.
• Data mapping for risk and incident management: As personal information has expanded, notification timelines have shortened. To meet notification deadlines, privacy teams need to ensure that data maps are created and maintained. When incidents occur, the team should be able to determine immediately the data involved, how it was protected, and the risks involved.
• Updating disclosure policies: Expanding data definitions have also created expanded requirements for disclosure. For example, as outlined by the National Law Review, the California Privacy Rights Act (CPRA) has two new disclosure obligations: 1) sensitive personal information must be included in the notice of collection to consumers, and 2) if sensitive personal information is used or disclosed for any purpose other than providing services or goods requested by the consumer, the business must notify the consumer of the intended use or disclosure, their consumer’s right to limit it, and an easy opt-out mechanism. GDPR has similar requirements but allows other uses only if consumers opt in. Privacy teams will need to work with business teams to ensure that disclosures are kept up to date with regulatory requirements and presented to consumers as required.

Creating Time to be Proactive

In addition to the efforts described above, expanded definitions of personal information may increase the volume of incidents requiring assessment and the number determined to be notifiable. And different definitions in different jurisdictions will add to the complexity of incident assessment.

To ensure compliance while proactively managing new risks, privacy teams will need to find new efficiencies in routine work such as incident response. Data mapping should be a priority, as an accurate data map will speed up incident assessment and risk analysis. Automation of incident response will also pay off faster assessment and analysis. Look for tools with:

• An automated incident intake process that captures all the details you need to assess risks around different kinds of personal and sensitive information
• An intelligent legal engine that can assess current risks and requirements for regulations across multiple jurisdictions
• Data visualization, dashboards, and benchmarking make it easy to track where incidents are happening and what kinds of personal information are involved