There has been a rise in the number and impact of data breaches in recent years as more commerce moves online and a higher number of businesses collect and store customer data to provide increasingly individualized advertisements and shopping experiences. In response, we’ve seen a resulting propagation of divergent data privacy regulations for the benefit of consumers throughout a range of jurisdictions. There are currently 142 countries with data privacy laws, 62 of which enacted them in just the last decade. The European Union, United Kingdom, and United States each have different sets of regulations, with the GDPR already in place in the EU while post-Brexit UK and the US develop their own regulatory frameworks.
In the US, there is not yet a federal standard, so individual states set their own data privacy statutes, with California’s Consumer Privacy Act (CCPA) leading the way with provisions delineating consumer rights and also establishing business obligations regarding mandated risk assessments and timely notification of data breaches. While there is often overlap between different sets of regional regulations, compliance with any one of them does not guarantee compliance with any other, given their varying standards. In addition, organizations potentially need to stay compliant with a whole host of industry-specific statutes, from HIPAA and HITECH to PCI-DSS, Dodd-Frank, Sarbanes–Oxley, or FISMA. Companies doing business in different geographical areas or supplying services to more highly regulated industries need to be ready to comply with data privacy laws in all of them.
Different Types of Sensitive Data
In addition to the sheer number of different existing and prospective data privacy laws that businesses have to monitor across different jurisdictions, another complicating factor is the range of varying types of sensitive data. Protected data is not necessarily limited to information that customers submit through web-based applications. Several states, for example, have already passed laws protecting biometric data: physiological or behavioral identifiers such as the face, irises, fingerprints, the voice, hands, and handwriting.
Legislation to protect biometric data is currently under consideration at the federal level (the National Biometric Information Privacy Act of 2020) and at various state levels, including the Consumer Data Privacy Act (CDPA) in Pennsylvania, the Washington Privacy Act of 2021, and AO6787-D/SO5140-B in New York. On top of that, as of January 1, 2021, Portland, Oregon became the first city to pass its own ordinances banning private businesses from the use of facial recognition technology. Any businesses that process or store biometric data for healthcare, security, or other applications will need to comply with these regulations on top of the more commonly known data privacy laws. Penalties for violating these laws can be steep, as Facebook found out when it had to pay $650 million to settle a class action lawsuit brought under the Illinois Biometric Information Privacy Act.
Data Privacy Legislation in the Works
Given the current fragmentation of the data privacy regulatory landscape, it seems likely that the Biden administration will work with Congress to pursue federal privacy legislation. Proposed bills to watch in 2021 at the federal level include the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act and the Consumer Online Privacy Rights Act (COPRA). Two additional bills have been introduced specifically to safeguard data collected to track and analyze COVID-19: the COVID-19 Consumer Data Protection Act of 2020 and The Public Health Emergency Privacy Act. In addition, several different states have data privacy bills actively moving through the legislative process. Not to be left out, on November 3, 2020, California voters approved the California Privacy Rights Act (CPRA), which will amend and expand the CCPA effective January 1, 2023. When new legislation comes into force, businesses need to be ready to promptly update all of their contracts to ensure compliance with any and all new regulations to which they are subject.
In the meantime, businesses need to be able to quickly and efficiently search and update their contracts in order to ensure compliance with disparate data privacy obligations in all of the various jurisdictions where they do business. These laws typically require businesses to disclose how they collect, use, store, and disclose customers’ data, and to offer terms allowing consumers to opt out of data collection. When sharing data with third parties, especially across borders, businesses are not off the hook. The business sharing customer data is obligated to ensure that its business partners are also taking adequate steps to protect that data.
Tech Companies and Antitrust Enforcement
Beyond the realm of data privacy, one of the most important areas for tech companies to watch in general is the antitrust landscape. Smaller tech companies frequently seek acquisition by larger tech companies as a planned stage in their growth trajectories, so the present administration’s stance on mergers and acquisitions may directly impact their plans.
Tech companies might also find that they need to more closely monitor their agreements with business partners in order to steer clear of any perception of engaging in anti-competitive practices or antitrust violations. For example, some businesses have responded to the COVID-19 pandemic by providing more favorable payment terms for their customers. However, if a business provides such accommodations to some customers but not others, under certain circumstances, that might constitute price discrimination under the Robinson-Patman Act.
As a result of the recent proliferation of data privacy legislation and other regulatory obligations including antitrust concerns, contract compliance has evolved into a continuous process, rather than an item to check during the drafting or audit phase and then set aside. Businesses need a powerful contract intelligence platform that can provide them timely insights into the data and obligations in their contracts at a moment’s notice, and that also enables them to update their contracts and templates efficiently, reliably, and painlessly.
Ready to learn how Evisort’s leading-edge artificial intelligence can help your business navigate the shifting regulatory landscape? Click here to read our white paper on contract compliance challenges businesses face in 2021.