“The times they are a-changin’,” Bob Dylan sang almost 60 years ago. And when it comes to consumers’ reasonable expectations of privacy, they are still a-changin.
I recently participated in a panel hosted by Usercentrics that focused on the cluttered mess of privacy laws that currently govern the United States.
Here are some of the key takeaways:
- We have “just” five comprehensive data privacy laws in the U.S. right now, and “only” two are in effect. But we have about 20 comprehensive state privacy bills in the pipeline and a bunch of state biometrics bills, children’s information bills and health information bills.
- It is still too early to call time of death on the American Data Privacy and Protection Act (ADPPA), which is the closest thing the United States has ever come to a federal privacy law. It could experience a Phoenix resurrection with a Congressional committee hearing set for March 1.
- What should you do about all the different laws? Handle the core obligations. Start with transparency (even President Joe Biden said so in his State of the Union), address your sensitive information, figure out your sale share in websites and in software development kits (SDKs) (The California Attorney General’s Office said this is yet again an enforcement focus this year.)
- When looking at transparency and choice, you should mind your consumer expectations, because, just like the times, they are a-changin’ too. Who cares about IP and pixels? Who cares about data sharing? Ten years ago, it was maybe some folks in Germany. Today? There was recently an $18 million settlement in Massachusetts.
- You can’t just take a nap because you don’t think you are subject to CPRA or CPA. The Federal Trade Commission (FTC) and multiple state attorney generals are on the prowl. Sharing through cookies and trackers and pixels is alleged to be unfair/deceptive under a lot of pending litigation right now, so it would be a good idea to look at your disclosures/choices.
- A profile used to be your good side for picture taking. Now, they stand to be your targeted advertising bad side roaming aimlessly in the world wide web. This is already getting enforced by The Italian Data Protection Authority and other EU regulators.
- Mind your health and location data, as well as data minimization. The FTC is full force with GoodRx, Drizly, Cafepress and other cases. State legislatures are also busy with genetic data laws and bills and health data bills.