Regulators and Enterprises Get Serious About Digital Privacy Rights

The wild west days of digital privacy are coming to a close. As European Union authorities step up enforcement of the General Data Protection Regulation (GDPR) and U.S. lawmakers continue their debate around regulating big tech, C-suite executives are being forced to step up their privacy initiatives. 

“We are seeing international regulators becoming more serious about addressing digital privacy from additional angles. For example, the E.U. recently approved the Digital Markets Act (DMA) and Digital Services Act (DSA),” says Alex Krylov, a senior privacy advocate at DataGrail. “Together with the GDPR and ePrivacy Directive, the DMA and DSA seek to protect consumers against the exploitation, promoting fair competition and creating a safer digital environment for users.”

In the U.S., a patchwork of states have enacted data privacy legislation that will soon become enforceable. California, Colorado, Connecticut, Utah, and Virginia will all have parts, if not all, of their state consumer data privacy laws go into effect this year.

At least nine other states have already introduced comprehensive privacy bills for 2023, and most are consistent with prior legislative efforts. According to a review by Gibson Dunn, five states currently have legislation to increase protections for children’s data, and seven are considering bills that address specific subsets of data, like the collection and use of biometric data or health data and third-party data brokers.

According to a survey by Cisco, spending on privacy compliance is up sharply, from an average of $1.2 million three years ago to $2.7 million this year. However, organizations’ privacy priorities differ sharply from those expressed by consumers, and 92% of professionals still believe their organizations need to do more to reassure customers about their data privacy.

Although U.S. lawmakers have yet to propose legislation similar to the DMA or DSA, Krylov says there are ongoing debates about regulating big tech, with discussions ranging from rebooting the fizzled ADPPA to breaking up large tech conglomerates, or focusing on more politically palatable issues like children’s online privacy and safety.

Krylov recommends that businesses focus on what’s behind the latest debates and provisions. He suggests starting with the pragmatic — documenting, informing, and balancing company data practices. For example, as a best practice, companies should be documenting their use of third-party cookies and similar technologies, including pixels, tags, scripts, and mobile identifiers, as well as hashed emails and digital fingerprints used to connect and combine data about individuals.

“The status quo of data exploitation is meeting the zeitgeist of tech-centric privacy reform,” Krylov says.

Consumers should expect to see plenty of changes to terms of service agreements in the coming year, as well, as companies adjust privacy policies to remain compliant with the latest international updates.

Among those companies that do sell data, Krylov says it’s going to be even more important to inform consumers using the appropriate notices at collection and links. 

“Banners and other Europe-originating interfaces are discretionary, and internet-native companies are encouraged to implement GPC signals in a ‘frictionless manner,’” he says. “If you don’t sell or don’t want to sell data, review whether you have limited service provider agreements in place with your adtech and analytics providers. Data is not ‘sold’ [or] ‘shared’ if it may not be used for the provider’s own benefit or that of other customers. Some vendors may put these restrictions into practice through ‘restricted data processing’ modes.”