Cybersecurity experts believe the US in 2023 will see a rise in class action litigation on the collection of tracking and targeting cookies, the use of chatbots, and the use of security features like voice authentication and fraud prevention. Further litigation is expected as more US states shift from a “harms-prevention-based” model to a broader “rights-based” approach. Here’s what you need to know.
Data privacy litigation is on the rise. Why? As more of our lives are conducted online, there’s a greater focus among businesses and consumers on data security risks. Cyberattacks and data breaches have become more common, which led to growing concerns about how personal information is used, processed, and stored by businesses and organizations.
Why data privacy matters
Data privacy laws are a critical way to help people feel safe doing business online. The implication for businesses are that they need to stay aware of data privacy policies and stay compliant.
Regulations on data privacy
Countries outside the US have passed legislation to protect data and privacy. China’s Personal Information Protection Law (PIPL) went into effect in 2021. Europe has the General Data Protection Regulation (GDPR), which regulates the collection and management of data.
Unlike the EU, the US has no comprehensive federal law protecting data and privacy. Rather, a patchwork of state laws provides varying degrees of protection to consumer data and privacy information.
The US has federal laws that protect specific data sets. Here are some notable ones:
- The U.S. Privacy Act of 1974 establishes rules for collecting, maintaining, using, and sharing personal information by a federal agency.
- The Health Insurance Portability and Accountability Act (HIPAA) protects a person’s medical records by setting national standards for privacy, confidentiality, and consent.
- The Children’s Online Privacy Protection Act (COPPA) of 1998 regulates how personal information is collected from children under the age of 13.
The new California Privacy Rights Act (CPRA) comes into effect this year (2023), placing increased focus on the transparency and completeness of privacy policies.
Four other states — Colorado, Connecticut, Utah, and Virginia — will start enforcing new GDPR-inspired statutes this year.
This approach is consistent with the GDPR’s rights-based regime for protecting personal information. It’s a philosophy that views data privacy as a fundamental human right: Individuals own their personal information, and only they can decide who can use it.
As the new laws take effect, businesses and organizations can expect greater scrutiny on their data privacy policies to stay compliant in this new regime. Experts believe companies will see increased regulatory and litigant focus on transparency of privacy policies and cookie policies.
Implications for companies
Among the rights set forth in the new GDPR-style data privacy laws:
- Access – Under the new laws, individuals have the right to request access to view their personal information.
- Disclosure – Some states will require more detailed policies regarding the collection, use, and disclosure of sensitive personal information like biometrics and geolocation.
- Portability – People have the right to request that their personal information be shared with another entity.
- Consent – This means that individuals have the right to decide whether their personal information may be sold or whether it may be used for receiving targeted advertising.
The Better Business Bureau, a top data privacy watchdog, wrote last year that “consumers must consent through an action in response to these communications or some other compliant, clear, meaningful, and prominent notice from the company,” They emphasize that users must affirmatively consent to data sharing. Passive consent, once seen as the norm, is now insufficient.
How can business leaders minimize litigation risk?
As the legal framework develops around data privacy, there are things business and organization leaders can do now to avoid legal exposure:
- Stay aware of new state regulations on data privacy and how they may affect your organization.
- Provide users with a detailed disclosure of your organization’s use of personal information like geolocation.
- Obtain consent from users before you share personal data with advertisers or other third parties.
- When using AI and machine learning to automate business processes, make sure these technologies comply with privacy laws under the CPRA and other key regulations.
It is important not only from a legal perspective, but also from a business perspective, that corporations ensure that their data privacy policies conform with evolving state and federal regulations. Sidespin Group can help ensure that the proper policies are in place to set your business up for success.
No tags for this post.