Make the most of Data Privacy Day

Privacy professionals, as a group, tend to be an enthusiastic, passionate, and very supportive bunch. But they can find themselves spread too thin, under resourced, and constantly needing to prove their worth to their company. With resources tighter and privacy laws demanding more attention, we thought it would be a great opportunity to take this Data Privacy Day to offer a case for why the privacy professional is more important than ever.

For those in the know, the U.S. is one of the last holdouts to deliver comprehensive privacy at the federal level. While that is a topic for another day, we will focus on the patchwork of state privacy laws that have cropped up in this absence and why privacy should be a top priority in every company.

California passed the first comprehensive privacy law at the state level in 2018, entering into force on Jan. 1, 2020. Prior to the groundbreaking California Consumer Protection Act (CCPA), the U.S. approached privacy via silos — healthcare privacy, financial privacy, child privacy, etc. The CCPA was a big deal for privacy in the U.S.

Since 2020, privacy legislation has developed at an unprecedented pace, with both Republicans and Democrats seeing it as a top priority. The past three legislative sessions (2020, 2021, and 2022) have seen a rush of privacy laws introduced, all resulting in a palpable change. Privacy has evolved into a nuanced conversation, increasingly reflective of the complexities of operationalizing it.

Privacy bills were introduced in both red and blue states and passed in California, Colorado, Connecticut, Utah, and Virginia to date. As the 2023 season kicks off, eight states are already considering broad consumer data privacy bills – Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee. Many of these states have a leg up from negotiations that took place last year. Another four states, New Jersey, Texas, Virginia, and West Virginia are considering children’s privacy bills (another trend courtesy of California).

As this patchwork of privacy laws grows, elevating privacy and data protection programs is more important than ever before. And to underscore this, privacy regulators are handing out some very large fines.

The tail end of 2022 saw enforcement actions from the Federal Trade Commission, a coalition of state attorneys general and the court system. The FTC issued fines totaling $520 million — its largest ever — to gaming company Epic (maker of popular online game Fortnite). The FTC claimed Epic violated the Children’s Online Privacy Protection Rule by illegally collecting children’s personal information, that its default settings harmed young players and, in a separate settlement, that the company used manipulative techniques (“dark patterns”) to compel players to make unwanted in-game purchases.

Another groundbreaking settlement came last quarter as a coalition of 40 state attorneys general settled the largest AG-led consumer privacy settlement at $391.5 million with Google over its location tracking practices. The attorneys general found that Google had mislead consumers about its location tracking practices since at least 2014 and confused users into thinking they had turned off location tracking in their account settings while continuing to collect their location information.

On top of that, a jury handed out a groundbreaking $228 million judgment for violations of Illinois’ Biometric Information Privacy Act. After deliberating for just one hour, a federal jury found BNSF railway, operator of one of the largest freight railroad networks in North America, collected employee fingerprints without proper consent. The jury awarded the maximum penalty for each violation: a $5,000 penalty issued once for each of the 45,600 truck drivers in the case. Despite a third party processing the drivers’ fingerprints, the jury found BNSF liable for the violations as it was responsible for compliance with the law. The verdict sent a clear message for companies on the importance of vendor management.

Much like we often hear about data breaches, it’s not if but when more privacy laws will be on the books. This, combined with eye-watering fines and growing consumer awareness are working to make data privacy a vital part of all organizations. To this we say: seize the day, privacy pros!