Customers and companies alike are highly invested in keeping sensitive data safe, and many American citizens are hoping that the federal government will pass data privacy legislation soon. While it is possible that the American Data Privacy and Protection Act (ADPPA) will pass later this year, it’s far from a sure thing. And that’s why it is significant that Biden’s State of the Union 2023 demanded more stringent legislation to curtail excessive data collection on all American citizens.
Biden’s strong declaration of the need for data privacy in such a pivotal speech suggests that the ADPPA and similar legislation will be a focus for the rest of his term, as well as a potential key tenet of his reelection platform. With the potential for federal legislation on the horizon, it’s important for both US and global companies alike to understand where data privacy currently stands worldwide and where it might go in the next year. In this post, we’ll review some of the biggest privacy news from the last 12 months and look ahead to some important changes coming in 2023.
Looking Back on 2022
It’s hard to deny that 2022 was a tough year for data breaches. The list of the year’s top breaches reveals a number of high-profile events that left many consumers concerned about possible identity fraud.
Yet, there was a decent amount of good news as well. While federal and national privacy laws in the United States and Canada are still works in progress, a number of rigorous state laws came into effect during 2022. These include Utah SB227, which went into effect in March last year. As with other recent privacy legislation, it lays out citizens’ rights to access or delete their data, and through subsequent amendments, designates large swathes of medical data as sensitive personal information. In Canada, Quebec Bill 64 became active in September. Firms that do business in Quebec are now required to name a data privacy officer or an equivalent role and face higher fines for breaches.
A new frontier in payment data security emerged when India’s state bank mandated tokenization of Indian cardholder data at the end of September. Companies accepting payments in the country have been forced to relinquish card data, and instead set up a “token” that corresponds to the appropriate data in a government-approved database. While this brought a fair number of new concerns (including Apple preemptively deciding to stop accepting Indian credit cards), it will be interesting to see whether other countries follow suit, especially with PCI DSS v4.0 coming into force starting in March 2024.
As countries around the world lose patience with recurring breaches, they are taking a stand and increasing the consequences of failing to properly protect data. In October, Singapore increased its data handling penalty to 10% of a company’s annual turnover, and in November, Australia’s Privacy Penalty Bill stipulated massive penalty increases, such that the new minimum penalty is 25 times greater than the previous maximum penalty. The cumulative costs from cross-border penalties are well on their way to becoming potentially devastating for businesses. Implementing robust data management practices not only minimizes the risk of a breach and subsequent penalties but also provides a competitive advantage.
Looking Ahead After Biden’s State of the Union 2023
We’ve only just begun, but 2023 has already proved to be eventful. Meta Ireland faces a fine of €390 million after failing to properly provide a consistent legal justification for data collection (although Meta swore to fight the penalty). This serves as a grim reminder that failing to adequately recognize, understand and protect data can lead to massive fines capable of disrupting even the world’s largest businesses. And Biden’s call for data privacy ensures the topic will remain top-of-mind for businesses, politicians, and private citizens alike throughout the year.
It looks like this year will be packed with new and updated legislation. On January 1, 2023, the California Consumer Privacy Rights Act (CPRA) went into effect. Among other stipulations, employees, job applicants, and contractors now have expanded rights to control their information. The CPRA has also created the California Privacy Protection Agency (CPPA), the first dedicated privacy agency in the United States. The Virginia Consumer Data Protection Act combines concepts from European and Californian legislation and gives consumers the right to access their personal data and request that it be deleted by businesses. Later in the year, the Colorado Privacy Act and Connecticut Data Privacy Act will go live, demanding safer data handling from firms that do business in those states.
Let Biden’s Speech Inspire You to Review Your Data Policies
In order to comply with current and upcoming legislation, companies must understand and protect their data — and that process begins with data discovery. Ground Labs offers Enterprise Recon, award-winning data discovery software that is continually updated to ensure it remains comprehensive for any company and use case. You can book a demo with one of our experts to ensure you’re prepared to face the security challenges of 2023 with confidence.
It’s likely that Biden will continue discussing data privacy and the role companies have to play in keeping business and consumer information safe. Check back on the latest updates and what they mean for your organization.