Examining the Effectiveness of Recent Privacy Laws on Big Tech

Examining the Effectiveness of Recent Privacy Laws on Big Tech
Author: Kishan Sathyanarayanan, CISA, CCSFP
Date Published: 12 September 2023
Related: Stop Passing the Privacy Hot Potato

The year 2023 will be remembered as bringing a seismic shift in United States privacy laws – building off GDPR and other recent international privacy regulations. Historically, big tech firms collected and stored the personal data of users on the internet without their consent. However, many of these practices are set to come to a halt.

Many sectors across the US have created a pool of data that is often misused. These sectors include healthcare (medical history and insurance policy details), education (students’ backgrounds) and financial data (bank account details). Following the footsteps of California, four more US states (Utah, Virginia, Connecticut, and Colorado) have created industrial-specific rules to ensure the data privacy of the citizens.

The influence of GDPR

The new privacy protection laws in the US are likely to follow in the footsteps of GDPR, which is applicable in the European Union. In the EU, the protection of the personal information of users is considered a fundamental human right. The users have the power to decide with whom they want to share their personal details. In light of technical advancements, the EU has recognized the need to revamp privacy laws globally. In 2018, the European Union adopted GDPR, which stands for General Data Protection Regulation. It lays down the rights for the protection of data:

  • Access—All individuals must have the right to access and assess their personal information.
  • Correction—Individuals must have the power to request edits in their personal information that has been collected.
  • Portability—Individuals must have the right to ensure a smooth transfer of their personal information from one entity to another.
  • Erasure—Individuals should be able to request that their personal credentials be removed from the database.
  • Consent—Individuals should be able to decide whether their personal data can be sold or not.
  • Appeal—Individuals must have a legal framework to appeal against the denial of their requests by the companies.

CCPA amendments

The California Consumer Privacy Act (CCPA) is a prominent state statute that has set a baseline for privacy policy in the US. The latest amendments that have been added to the CCPA focus on the introduction of a primary agency, which is the California Privacy Protection Agency. This agency will oversee not only privacy laws but also various other laws. Additionally:

  • The CCPA will extend its purview to business contacts and staff data. This has been the first time in history that data privacy laws extend to other domains.
  • Furthermore, CCPA has proposed an option to consumers to opt out of sharing information for behavioral analysis. As a result, no service provided will be able to retain the data of its clients, and if it retains the data, clients must be informed.
  • The CCPA requires businesses to flash a privacy notice at the time of collection of data. With such stringent terms, businesses will no longer be able to publish privacy notices at the end of the web page. Notices should be easily readable and visible to the customers.
  • It also prohibits the business from sharing its information with customers or vendors. Data collected cannot be shared across verticals without the consent of clients.

Protection of sensitive data

There remains a lack of comprehensive privacy laws in the US. New policy amendments are likely to focus on areas of higher risk, such as information about reproductive health and children’s privacy. Not very long ago, California passed a design code influenced by the UK which is referred to as California Age-Appropriate Design Code (CAADC).

The CAADC focuses to expand its purview to the protection of children’s privacy in the online space. These policies are directed toward children under the age of 13 years. It is now mandatory for sites to obtain parental consent for purchases made by a minor.

How AI factors into privacy policy

With the advent of ChatGPT, AI is even more top-of-mind from a privacy perspective. Today, AI is used in decision-making, recruiting professionals, audit of financial information and more. The EU is set to form an AI framework to address the problems of data theft by users. Meanwhile, the US is working to set up a legal framework to protect users from the risks of AI.

Conclusion

The year 2023 is a landmark year in the arena of data protection and consumer privacy. Although some new privacy laws are comprehensive in scope, they also list a few carve-outs for information previously protected under other laws. The extent of carve-out varies by sector with respect to their enforceability. Each sector is dynamic and should be thoroughly evaluated in terms of its requirements, scope, financial liabilities and penalties.

A deep understanding of these new laws and regulations will help big tech companies to create a solid foundation and to help them to survive in the long run. A mature privacy program helps enterprises to stay prepared for any new privacy laws. Organizations that make privacy as part of their DNA do not need to start from the drawing board every time a new privacy law is introduced by the regulators.