Protecting customer data will continue to be an urgent issue for businesses worldwide in 2022. The risks and requirements are not going away.
In 2021 we saw users demanding and gaining more control over their personal data. Big tech/ad tech took more hits to their data-driven business models, even while introducing variously effective “privacy” measures (such as Google phasing out third party cookies and scrapping app developers access to ad IDs and Apple introducing the ATT feature and privacy labels in the App Store). When WhatsApp caused global outrage by demanding its 2 billion-plus users consent to sharing their personal data with Facebook, and Elon Musk switched millions of those users to private messaging app Signal with a two-word tweet, the world was never surer that consumers are tired of trading their personal information for access to services. This sentiment is only intensifying.
Throughout 2021, the regulatory landscape expanded, placing even greater compliance burdens on business and making cross-border data transfers more difficult. COVID-19 and the mass move to remote working environments continued to demand businesses find ways to protect employee devices and secure corporate data and resources as cybersecurity threats ramped up. Contact tracing also amplified the risks of sharing and storing personal information. Cisco confirmed the pandemic had seriously elevated the importance of data privacy as a business priority and, as we enter the third year of the pandemic, this imperative hasn’t changed. Privacy budgets and resourcing skyrocketed among businesses in response, and governments and health authorities are still struggling to balance public health with protecting personal privacy.
Obviously, data privacy will remain firmly on the agenda in 2022, so the big trends to watch for are:
Privacy regulations and compliance obligations will continue to expand and tighten in the US and globally.
The International Association of Privacy Professionals (IAPP) quotes Goodwin Partner and IAPP Senior Fellow, Omer Tene as saying, “In 2022, expect an avalanche of new laws and regulations, attempting to govern and impose order on a dizzying array of tech developments. New regulatory efforts will range from data protection laws in India and China to AI regulation in the EU to automated decision making rules in US states. Add to that a flurry of enforcement activities, and you get a perfect storm of tech regulation.”
But Tene says it’s unlikely the US will gets its long awaited national privacy law in 2022, but at least six states will move to pass their own (Maryland, Oklahoma, Ohio, New Jersey, Florida and Alaska), and it will be interesting to see whether any of those states includes a private right of action (PRA) —because, if they don’t, the game could change. “A couple of years ago, conventional wisdom was that the more states pass privacy laws, the greater the pressure will build on the business community, and consequently Congress, to pass preemptive federal legislation. Absent a PRA, however, an interesting dynamic may develop, where the more state privacy laws, the less appetite businesses – who are growing accustomed to complying with the emerging (PRA-less) state framework – have for federal pre-emption,” Tene says.
More tech legislation will flow out of Europe too. In fact, Tene calls it “a veritable alphabet soup of tech regulation affecting digital platforms, digital services, online marketing, data intermediaries and more …”. The AI Act, affecting algorithmic decision making across the economy, and the Data Act, which broadens legal obligations, including cross-border transfer restrictions, to non-personal data will also be things to watch.
We’ll see more regulatory enforcement.
Governments in the US and Europe are expected to ramp up regulatory enforcement around breach reporting and risk reporting. GDPR enforcement increased in 2021 and this is set to continue. Tene says, “Importantly, regulators are expanding the lens from an early focus on data breaches to challenging companies’ legal bases for processing data and, notably, cross-border data flows. In 2022, expect an additional step up the enforcement ladder. We expect regulators to focus on issues such as protecting children’s data, restricting the use of sensitive health and financial information, and curbing the excess of digital marketing.” Of course, if greater enforcement is to happen, the regulators will need to be adequately resourced. Enforcement times are not getting any shorter on the complex cases. It will also be long overdue. For example, the Schrems II decision was in the middle of 2020 and there has been very minimal (if any?) enforcement action resulting from that change.
More limits on big tech/ad tech.
Regulators, the media and the general public have big tech/ad tech firmly in their sights and will continue to demand more privacy-first data tracking and sharing practices and business models. As we reported last year, the Federal Trade Commission could go harder on consumer privacy protection and cybersecurity with President Biden’s recent nomination of digital “privacy hawk” and law professor Alvaro Bedoya and House Democrats’ proposal to allocate $1 billion for a new privacy and data security bureau.
Tene notes: “Under the leadership of new Chair Lina Khan, the FTC has issued strong statements and strategic plans for broad rulemaking efforts, including rules to curb “abuses stemming from surveillance-based business models” and “lax security practices” and to “ensure that algorithmic decision-making does not result in unlawful discrimination.” But he notes this in part depends on Bedoya’s appointment proceeding in the Senate, which may not be quick.
Consumers will continue to favor brands that are genuinely good, honest stewards of their personal data.
Cisco released research findings in October 2021 which it says, ”demonstrates the growing importance of privacy to the individual and its implications on the businesses and governments that serve them.” Eighty-six per cent of respondents said they care about data privacy and want more control, and 79 percent said they’d be willing to vote with their wallet and not support businesses that don’t protect their data and would indeed pay for better data protection. This sounds like the new growing market of “privacy actives” we discussed last year and which no brand can afford to ignore. Cisco reminds business that data abuses have eroded trust in brands, which is one reason it has released its New Trust Standard, which we’ll explore in a separate article soon.
Clearly the opportunity for businesses to build customer trust and loyalty by responding authentically to what their customers want and need are enormous. As PwC says, brands that get customer privacy and safety right will disrupt the market. Our Sudo Platform privacy and cybersafety services platform can help you to rapidly develop and deploy branded customer solutions.
Want a longer term view? Read our 10-year vision for privacy which we released in 2020.
Photo By Miha Creative