Data privacy top policy trends in 2020: PwC

Shifts in 2020

Since the EU’s General Data Protection Regulation (GDPR) took effect in May 2018, world of data privacy has shifted its focus from guidance to stepped-up enforcement. The large fines on three multinationals levied by two data protection authorities (DPAs) in 2019 are just the beginning. Will 2020 also mark the shift to consumers’ exercising their rights over their data? Companies are adding significant resources to meet customer requests for their data, according to a recent PwC survey of preparedness for the California Consumer Privacy Act (CCPA).

The EU

The bloc has become the dominant regulator around the world in data privacy because of the rollout of GDPR. Widely viewed as the gold standard, GDPR recognizes privacy as a fundamental human right and prohibits organizations from collecting and processing personal data without a lawful exception. In contrast, current US law permits the collection and monitoring of personal data unless privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA) expressly restrict access. In 2019, 76 cases with fines were recorded, up from about 27 in 2018. The investigation by Ireland’s Data Protection Commission into Facebook and Twitter is one of several now being undertaken by DPAs. Meanwhile, the UK’s Information Commissioner’s Office (ICO) studies the GDPR compliance of business practices like ad tech and real-time bidding and live facial recognition—an example of methodical groundwork for future enforcement.

California

The CCPA (explained here for consumers and businesses) went into effect on January 1, 2020. Like GDPR, the CCPA has inspired other jurisdictions—Hawaii, Massachusetts, New Jersey, Pennsylvania, Rhode Island, Puerto Rico and Washington—to propose privacy bills. The effect of CCPA is rippling through the nation, as companies like Microsoft choose to apply the rules throughout the United States. More than one-third of businesses will fulfill CCPA requests from anyone, not just California residents, according to a PwC survey of CIOs. Many financial services companies and healthcare companies say they will not exercise CCPA exemptions for data covered by HIPAA and GLBA.

Spending on CCPA compliance is extensive: 43% of businesses will spend more than $10 million, with 20% topping $100 million. Driving the high costs are expectations of a high volume of consumer calls: two-thirds of companies to field more than 500 calls per day, with 11% planning for over 10,000 daily.

State attorneys general (AGs)

State attorneys general are likely to have a greater impact on privacy law enforcement than any US governmental agency. The New York Attorney General’s office has already levied fines of more than $600 million related to data breaches based on existing statutes. It also recently joined the Federal Trade Commission (FTC) in levying fines for violations of children’s online privacy.

More state laws are coming: In 2019, bills or draft bills on consumer data privacy were introduced and are pending in at least 18 states and in Puerto Rico. The Mind Your Business Act, introduced by Sen. Ron Wyden (D-OR) in October 2019, calls for state AGs to be empowered to enforce data privacy regulations. While it’s unlikely to become law, the act captures the spirit of more punitive enforcement—allowing privacy watchdogs to sue on behalf of individuals, and imposing tax penalties on companies when their CEOs misrepresent privacy practices.

Congress

In Congress, efforts are afoot to create a national privacy law. Various members of the US Senate are jockeying to have their data privacy law pushed through first. The Senate Commerce Committee’s Chairman Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) have been working on building consensus around the legislation since fall 2018. Meanwhile, the Senate Banking Committee’s Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) have been drafting their own version of privacy legislation.

Meanwhile, in the House, the Online Privacy Act of 2019 (HR 4978) introduced by Reps. Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) in November 2019 calls for establishing an independent federal agency to enforce privacy protections and investigate abuses.

Business advocates of federal privacy law

Business leaders and groups have become more vocal about the high cost and ineffectiveness of fragmented, and sometimes conflicting, state privacy laws. The Business Roundtable’s 2020 American innovation agenda calls for harmonizing approaches to data privacy and security to remove roadblocks to innovation. Its push for a single national privacy law puts enforcement in the hands of the FTC, one of the few things that most proposed federal privacy legislation agree on.

But many efforts to craft a national privacy law have failed. Legislators and business leaders hold opposing positions on the basic principles from which rules flow. For example, Apple CEO Tim Cook, in a speech expressing support for a US data privacy law, raises at least three points that are not universally held: "We at Apple believe that privacy is a fundamental human right[…]Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency[…]We’re not willing to leave our users to fend for themselves. And, we've shown, we'll defend those principles when challenged.”

Citizen and business privacy advocates

CCPA resulted from the work of concerned citizens Alastair Mactaggart, Rick Arney and Ashkhan Soltani. As chronicled in a New York Times Magazine article, they were troubled by the amount of data companies are allowed to collect to make “increasingly precise guesses about what you wanted, what you feared, and what you might do next.” So they set out to take on the data industry. By putting the question directly to consumers on a state ballot initiative, it remained a citizens’ movement until the California State Legislature wrote what is now known as CCPA. Mactaggart will follow the ballot initiative path again in 2020 with his proposal to strengthen consumers’ control over their personal data, as well as organizations’ obligations around data privacy.

Meanwhile, the US does not lack for business models that prioritize privacy—although going up against the giants has limited their scale. Gabriel Weinberg, CEO of browser DuckDuckGo, advocates the right of individuals to opt out of online tracking. Among the implications is the return to contextual ads, instead of behavioral ads that follow individuals as they search, buy and interact online. There are also social media start-ups that won’t make money from personal information or ads.

How to prepare for the shift

In a GDPR and CCPA world, negligence of data privacy protections will not be tolerated and will result in higher fines. Enforcement authorities now have the frameworks to test current and new technology applications that collect and use personal data; these will result in a continuous, perhaps growing pipeline of investigations. For businesses, transparency and preparedness are the best course of action. Recent examples of transparency include Apple’s white paper with details on the privacy features of its latest operating system, and Google’s posts on its privacy initiatives.

Companies can shift to a “privacy by design” operating model. It starts with using a tool to track all the shifting privacy laws that are cropping up—now more than 1,800 globally, according to PwC’s Risk Atlas. Tools like Risk Atlas can keep an organization abreast of the regulations as they change in real time, and help it enhance its privacy standards ahead of enforcement.

Companies need to integrate privacy into all core operations and as part of product design, in order to cultivate trust among consumers. At PwC, we call the businesses already doing so data trust pacesetters. They tend to be three times more likely to achieve ROI than those who don’t include their privacy team from the start.