The fast-changing data privacy landscape | Articles

Abstract

The demand for consent-based use of data is driving the adoption of data privacy laws worldwide, changing the way marketing researchers collect and use consumer data.

Editor’s note: Jessica Santos is the global compliance and quality director at marketing research firm LightSpeed Health, U.K. This is an edited version of a post that originally appeared under the title, “Global privacy landscape for 2019 and beyond.”

The global privacy landscape has changed dramatically in the beginning of this millennium. On the one hand, data is regarded as power and the new commodity or even currency, on the other hand, both data subjects and regulators have increasing demand of data privacy to avoid personal data violation.

This fast-changing privacy landscape will continue to increase its pace in 2019. Below is a breakdown of what we’re seeing across the globe and what it means for us as researchers.

The United States

The U.S. is going through a phase of deregulation on the federal level under Trump administration, but different states are enacting privacy related bills independently. In the U.S., there is no single, comprehensive federal (national) law regulating the collection and use of personal data. However, each Congressional term brings proposals to standardize laws at a federal level. Instead, the U.S. has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law but are part of self-regulatory guidelines and frameworks that are considered best practices. These self-regulatory frameworks have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.

States including Alabama, California, Colorado, Arizona, Iowa, Louisiana, Nebraska, Carolina, Oregon and Virginia have privacy bills pending or due to be effective. The most famous one is California Consumer Privacy Act (CCPA, A.B. 375), which has the nickname “mini GDPR.” It is unanimously rammed on June 28, 2018, likely to have some amendments by effective data – Jan 1, 2020. The new law gives consumers broad rights to access and control of their personal information and imposes technical, notice and financial obligations on affected businesses.

Brazil

Also inspired by GDPR, Brazil enacted its General Data Protection Law – Lei Geral de Proteção de Dados (LGPD) (Law 13,709/2018) in August 2018. The law will come into effect after its 18th adaptation period, in early 2020.

The LGPD creates a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors. It is important to note that the country already has more than 40 legal norms at the federal level that directly and indirectly deal with the protection of privacy and personal data in a sector-based system. However, the LGPD is replacing and/or supplementing this sectoral regulatory framework, which was sometimes conflictive, marshy, without legal certainty and made the country less competitive in the context of an increasingly data driven society.

Similar to the GDPR, the LGPD sets out general principles that must underpin all processing of personal data, and then builds on those principles by identifying specific legal bases that can be relied on to support particular acts of data processing. Importantly, while the LGPD focuses mostly on data privacy, the principles also impose substantive data security requirements: companies must adopt “technical and administrative measures to protect personal data from unauthorized access and accidental or illegal destruction, loss, alteration, communication or dissemination.”

Asia Pacific

India, Thailand, Japan, Australia and South Africa all have privacy legislation similar if not identical to GDPR due to come into effect in the coming months.

Europe

As Europe’s GDPR legislation dominated headlines in 2018, the ePrivacy Regulation will be the next one to pay attention. It isn’t just about cookies. It concerns electronic communications and the right of confidentiality, data/privacy protection and more. In other words: again, personal data protection.

Electronic communications means that it includes the Web, the Internet (e-mail, apps, you name it), telephone, instant messaging and so on. So we are also talking about spam, direct marketing, telecommunication firms, mobile app developers, online advertising networks and, often overlooked, the Internet of things, among many others. It will look at the text, the impact, the challenges and the evolutions. As the European Commission made clear in the scope of the progress of EU member states with the GDPR, all focus is on the GDPR at this time and it is pretty sure that the ePrivacy Regulation will not enter into force until the second half of 2019.

United Kingdom

While U.K.’s Brexit and future relationship with Europe might not be certain, Information Commissioner Elizabeth Denham sets out how the ICO is helping businesses, particularly SMEs, prepare for a possible no-deal Brexit. The Government has made clear that GDPR will be absorbed into U.K. law at the point of exit, so there will be no substantive change to the rules that most organizations need to follow. But organizations that rely on the transfers of personal data between the U.K. and the European Economic Area may be affected.

Data laws and MR

Besides the U.S.-China division, Internet fragmentation is also happening in less obvious places, Oxford cybersecurity expert Emily Taylor explains. Europe’s global data protection regulation (GDPR) has led some companies to overreact and block their sites to European visitors. Other jurisdictions are following suit and considering data localization laws. “You're going to end up with cross-cutting national and regional laws that are reaching over their borders, making it very difficult for companies to comply,” Taylor says. “People will just choose to be very limited in what they do and the audiences that they try to reach.”

After a year of scandals, the implementation of Europe’s GDPR and upcoming copycat legislation from other jurisdictions, the advertising business will move away from the wholesale collection of personal data and the extreme personalization of advertising, predicts Mihael Mikek, the founder and CEO of digital advertising platform Celtra. “The question will come down to, is the data being used in a way that benefits the consumer or not?” he explains. “In the last five years, it’s been such a crazy race to collect as much as possible.” Advertisers will follow consumers, who will demand more ethical and consent-based use of their data. With The New York Times having published an investigation of location-tracking apps , location data is likely to be the next battlefront.

The intensity of privacy demand from consumers, ever increasing privacy legislations and big data capacities of corporation are increasing. It looks like 2019 will see some high-profile lawsuits based on tension and the rebalancing of this relationship.