Top 5 privacy concerns to watch out for in 2022 – Privacy
While we could have listed a dozen or more issues, from new laws and regulatory actions to major platform changes, below are the top five privacy issues to watch out for this year.
Upcoming CPRA regulations; Prepare for CPRA compliance
Parts of the California Privacy Rights Act (CPRA), a / k / a “CCPA 2.0”, have already come into force, including the creation of a new California Privacy Protection Agency (CPPA); the nation’s premier independent privacy regulator. CAPP is responsible for drafting and adopting regulations under the CAPP before July 1, 2022. The subjects of these new regulations include, but are not limited to:
- Automated decision making;
- The scope and process of CAPP audits;
- Consumer rights to delete and correct personal information;
- Consumer rights to limit the use of sensitive personal information;
- The definition of a precise geolocation; and
- Cybersecurity audits and risk assessments to be carried out by companies.
Most of the provisions of the CPRA text amending the California Consumer Privacy Act (CCPA) will come into force January 1, 2023. Businesses should pay attention to key changes to the CCAC, including:
- New rules for “sensitive personal information”, which include increased transparency obligations and the obligation to offer consumers the possibility of limiting the use and disclosure of this data;
- A new definition of “precise geolocation”, which includes an area equal to or less than a circle with a radius of 1,850 feet;
- New definitions of “sharing” of personal information and “cross-context behavioral advertising”, as well as new compliance obligations for such activities;
- A new right for consumers to correct inaccurate personal information;
- Eliminate CCAC’s 30-day processing period for violations of the law;
- Require certain companies to submit mandatory “risk assessments” to CAPP on a “regular basis”; and
- Explicitly require companies to enter into contractual agreements when sharing personal information with third parties, and to pass these provisions on to any subcontractors they hire.
These new regulations will be essential to ensure compliance with CPRA. Businesses need to prepare for these changes – both from the text of the ACPL and upcoming CPRA regulations – and adjust their privacy compliance programs accordingly.
Prepare for compliance with the Virginia CDPA
Virginia Consumer Data Protection Act (CDPA) Comes into Force January 1, 2023, and companies should start planning this year to align their privacy programs with
The CDPA will apply to those who do business in Virginia or manufacture products or services for residents of Virginia and who control or process the personal data of at least:
- 100,000 consumers in a calendar year; Where
- 25,000 consumers and derive more than 50% of their gross income from the “sale” of personal data (defined in the strict sense as “the exchange of personal data for remuneration”).
The CDPA provides a range of consumer privacy rights, including the rights of access, rectification, deletion, portability and the right to opt out of certain types of processing (including the sale of personal data and the use of personal data for the purposes of “targeted advertising”).
Similar to the EU GDPR, it will also require data controllers to enter into contracts with processors who govern their processing activities and pass contractual obligations on to all processors. The CDPA will also require supervisors to perform data protection assessments when engaging in certain processing activities, including targeted advertising, sale of personal data, processing of personal data for profiling which presents high risks for privacy, the processing of sensitive data and other processing which poses a risk of harm to consumers.
While most privacy laws in the United States operate on an opt-out basis, the CDPA introduces a consent requirement to process certain sensitive data, such as precise geolocation.
Prepare to Comply with Colorado Privacy Law
In the wake of Virginia’s new law, the Colorado Privacy Act (CPA) comes into force July 1, 2023.
The majority of the CPA requirements will apply to controllers who operate in Colorado or manufacture products or services for Colorado residents, and who control or process the personal data of at least:
- 100,000 consumers in a calendar year; Where
- 25,000 consumers, and earn income or receive a discount on the price of goods or services from the sale of personal data.
Unlike the privacy laws of California and Virginia, there is no income threshold for law enforcement, meaning that businesses not subject to CCPA / CPRA or the CDPA can be regulated by the CPA.
The CPA provides consumers with a set of rights similar to those found in the CDPA, and requires supervisors to follow data processing principles such as transparency, purpose specification and data minimization, similar to GDPR. The CPA requires supervisors to obtain consumer consent to process sensitive data and, like the CDPA, requires companies to conduct and document a “data protection assessment” of activities that present “An increased risk of harm to a consumer. Colorado law also provides that an individual’s consent is invalid if it is obtained through ‘dark models’, defined as’ a user interface designed or manipulated with the substantial effect of subverting or altering the ‘autonomy, decision-making or user choice. “
Implement the revised EU CSCs; Awaiting British SCCs
In June 2021, the European Commission published revised Standard Contractual Clauses (SPCs) for use in international data transfers from the European Economic Area (see our previous alert). The new SCCs have added many new features, including:
- A customizable design with different modules and optional clauses;
- A “mooring clause” which allows for multiparty transfers; and
- More in-depth requirements for data security measures and disclosures regarding local laws that may affect SCC compliance.
While revised SCCs are already required for new contracts and upcoming processing operations, the European Commission has said that all existing contracts and data transfer agreements must be fitted with the new SCCs. before December 22, 2022.
In addition, as the UK is no longer part of the EU, the Information Commissioner’s Office and the UK Secretary of State are currently approving older versions of the EU SCCs as a measure. provisional. However, the UK is in the process of formulating its own UK SCCs and the UK ICO has announced plans to release them in 2022. As a result, companies will likely have to integrate the new EU and UK SCCs. in their international data transfer agreements by the end of the year.
Uncertainty in the EU about cookies and behavioral advertising
The past year has seen many developments that could have a significant impact on behavioral advertising in the EU in the future. The Irish Civil Liberties Council, the Belgian Data Protection Authority and privacy lawyer Johnny Ryan have all filed lawsuits that attack the foundations of the behavioral advertising ecosystem in the EU.
For years, the industry has united around IAB Europe’s Transparency and Consent Framework (TCF) to obtain user consent for the collection of cookie-based data to be used for behavioral advertising. The TCF program is based on the integration of cookies into banners and the transmission of consent strings to compliant ad technology companies.
Some regulators have questioned the validity of this consent and who is the controller when collecting this data. Regulators in France have particularly focused on non-compliant cookie banners. Without complying with GDPR and obtaining the appropriate consent, all of this data used in the ad technology ecosystem is tainted. As these different issues evolve, the industry may need to change its practices in order to appease regulators and ensure that these practices are GDPR compliant.
More beyond the top five
These five issues are just the tip of the iceberg when it comes to the privacy outlook in 2022. We could easily add to that list a more aggressive, newly built Federal Trade Commission, more states ready to pass their own laws. on privacy, major platforms forcing changes on their users, the apparent failure of Congress to pass comprehensive consumer privacy legislation, the rise of ransomware attacks and the increased focus on information sensitive personal data such as biometric data.
The bottom line
- As each year brings new complexities to complying with privacy laws, 2022 is poised to be a very landmark year.
- With three new U.S. state laws coming into effect in 2023 and additional developments in Europe, businesses may need to update their privacy programs, policies and contracts this year in preparation for the various changes to come.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.