Archive & Data Protection

    Privacy Outlook: Legislation, Enforcement, Litigation

    As privacy risks continue to grow and change, companies need to rethink their handling of customer data.

    by Karen Lynch
    GettyImages-1252666700-1200px.jpg

    Key Points

    • Consumer privacy regulation is expected to cover nearly two-thirds of the world’s population next year.
    • In turn, regulatory fines and class-action lawsuits pose mounting risks.
    • Companies need to elevate and automate their data privacy programs.

    Companies face sharply accelerating data privacy risks, according to the Gartner market research firm. Legislation, enforcement, litigation and consumer activism are snowballing, while cyberattacks continue to breach companies’ stores of personal information, such as Social Security and credit card numbers.

    In response, companies’ data privacy programs need to shift gears. Businesses that manage and protect personal data with only a “minimum viable” approach to complying with privacy rules face a range of negative outcomes, Gartner said. Instead, privacy should become central and proactive, embraced companywide as a competitive differentiator and automated to satisfy regulators, customers, employees, partners and other stakeholders.

    This article, based on a Gartner® report titled “Predicts 2022: Privacy Risk Expands,” focuses on compliance risk. It’s part of a three-part series that will later include closer looks at litigation and at data privacy as a competitive differentiator.

    Companies Caught in the Crosswinds of Privacy Risks

    By next year, consumer data protection and privacy regulation will cover some 5 billion citizens and more than 70% of global GDP. That’s up from 3 billion in 2021, the firm said, adding: “This trend has accelerated considerably heading into 2022.”

    Yet privacy risk extends well beyond regulators’ fines for noncompliance. In another prediction, by 2026, companies that fail to protect or respect personal data will suffer three times more financial damage from class-action lawsuits and other consumer litigation than from regulatory enforcement.

    What’s more, businesses will increasingly compete on their reputation for privacy. Consumers will vote with their wallets based on how carefully their personal data is protected and how well companies respond when they raise concerns. This competitive risk is driving privacy programs in a new direction. “By 2024, large organizations’ average annual budget for privacy will exceed $2.5 million, allowing a shift from compliance ethics to competitive differentiation.”

    Rising to these challenges won’t be easy, though, since companies are also experiencing a shortage of available privacy professionals. “By 2024, a privacy professional talent shortage will lead to 100,000 positions unfulfilled.”

    Privacy Legislation Proliferates

    In the U.S., the Chamber of Commerce recently led a coalition of state and national organizations in calling for comprehensive, national privacy legislation.[1] “A national privacy law that is clear and fair to business and empowering to consumers will foster the digital ecosystem necessary for America to compete,” the Chamber wrote.

    In the meantime, U.S. companies face a patchwork of legislation. Nearly 30 states have passed or are considering data protection laws that differ significantly, increasing compliance burdens on companies. While awaiting national legislation, the U.S. Federal Trade Commission (FTC) is developing and enforcing privacy rules nationwide.[2] For years, U.S. companies in sectors such as healthcare have already had to protect privacy under laws including the Health Insurance Portability and Accountability Act (HIPAA). And many U.S. companies with international operations must comply with overseas privacy rules, such as Europe’s General Data Protection Regulation (GDPR). 

    Worldwide, the complexity of the global regulatory system is increasing as well, Gartner wrote, now including laws in countries such as China and India. While many are modeled on the GDPR, they nonetheless vary in their requirements for data breach prevention, privacy notices and statements, and accommodations for consumer consent and preferences regarding companies’ use of personal information.

    How well are companies complying so far? Even for laws that have been on the books for years, such as the GDPR, only 20% of privacy professionals rated their companies as fully compliant, while 43% considered themselves “very compliant,” according to a separate report from the International Association of Privacy Professionals (IAPP).[3] Meanwhile, data breaches, exposures and other compromises of personal information reached an all-time high in the U.S. in 2021, up 68% over the previous year, according to the Identity Theft Resource Center.[4] “Gartner conducted a multicountry online survey between April 2021 and May 2021. According to this survey, organizations that have at least 100 employees and $50 million in total annual revenue for fiscal year 2020 were spending, on average, $1,524 per subject access request (SAR), and the majority of respondents (85%) were able to process a request within two weeks of receipt.1” 

    Companies Face Privacy Enforcement

    Nearly 1,000 fines have been issued by regulators since the GDPR was implemented in 2018, for a total of nearly $1.8 billion.[5] Most were for the prohibited processing of personal data, inadequate data security and insufficient fulfillment of individuals’ rights to access, correct or erase personal information. 

    In the U.S., the FTC considers itself the primary authority on privacy under its mandate to police commercial practices. Since 2002, the FTC has brought 80 cases against companies for the inadequate protection of consumers’ personal data, the agency reported to Congress late last year.[6] Lately, the FTC has become more active in enforcing data privacy under laws including the Gramm-Leach-Bliley Act, which protects the privacy of financial information.

    During the first year the precedent-setting California Consumer Privacy Act (CCPA) was enforced, “notices to cure have been issued to entities including data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers,” the attorney general’s office reported last year. Companies are given 30 days to “cure” alleged violations, and nearly all have complied so far, rather than pay a fine.[7]

    Privacy Lawsuits on the Rise

    In addition to illustrating enforcement trends, the CCPA also provides insight into the growing number of privacy lawsuits. By one count, more than 100 class-action suits have been filed based on the CCPA. These included a $5 million settlement by a company with customers alleging that inadequate security procedures enabled cyberattackers to steal their personal information.[8]

    Lawsuits are arising in several areas, involving employees as well as customers. Gartner reports an explosion of privacy lawsuits surrounding the collection and storage of biometric information, such as fingerprints and face recognition for digital access. For example, a fast-food restaurant recently reached a $50 million settlement with employees who alleged they were not asked for proper consent to use their fingerprints for clocking in.[9] In Europe, many small suits have been filed; some decided related to GDPR in Germany, for example, with mixed outcomes for and against the plaintiffs. Meanwhile, a court in the Netherlands recently dismissed a multibillion-dollar suit against two Big Tech companies involved in real-time ad auctions.[10] 

    Reducing Privacy Risks

    “With the expansion of privacy regulation efforts across dozens of jurisdictions in the coming two years, many organizations will only see the need to start their privacy program efforts now,” Gartner said. Meanwhile, companies with more mature programs are broadening their capabilities.

    Gartner’s advice for facing the coming challenges includes:

    • Make privacy central to your company.
    • Prepare a sustainable, companywide privacy program, including year-over-year expansion in coverage and impact.
    • Plan a uniform compliance approach across the jurisdictions in which you operate, with the ability to incorporate regional variations.
    • Automate the processes that handle individuals’ requests to access their personal information.
    • In addition to privacy-specific tools, such as self-service portals for customers, leverage classic data-centric capabilities, such as data discovery, classification and end-of-life automation.
    • Shore up staffing with training, conducive cultures of collaboration across departments and temporary staffing when needed.

    The Bottom Line

    Privacy risk is growing in many directions, from the rise of new legislation to more fines, lawsuits and customer complaints. Companies need to focus on privacy as a central aspect of their business — not just complying with privacy rules but competing in the market on their reputation for maintaining data privacy.


     

    [1]Coalition Letter on National Privacy Legislation,” U.S. Chamber of Commerce

    [2]FTC Takes Steps Toward Privacy, AI Rulemaking,” International Association of Privacy Professionals

    [3]IAPP-EY Annual Privacy Governance Report 2021,” International Association of Privacy Professionals

    [4]End-of-Year Data Breach Report 2021,” Identity Theft Resource Center

    [5]Course of Overall Sum of Fines (Cumulative),” Enforcement Tracker

    [6]FTC Report to Congress on Privacy and Security,” Federal Trade Commission

    [7]Attorney General Bonta Announces First-Year Enforcement Update on the California Consumer Privacy Act,” California Department of Justice

    [8]CCPA Breach Class Action Settlement About to Get ‘Minted,’” JD Supra

    [9]McDonald’s Illinois Employee Biometric Privacy $50M Class Action Settlement,” Top Class Actions

    [10]Judgment of 19 December 2021,” Court of Amsterdam

    Gartner, Predicts 2022: Privacy Risk Expands, Bart Willemsen, Katell Thielemann, Bernard Woo, Nader Henein, 27 October 2021

    GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

     

     

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top