The most significant privacy issues facing companies today
Adapting to the CCPA may be in the rearview, but there are still privacy-related challenges old and new at play in 2021.
Many corporations and risk managers have likely become intimately acquainted with the ins and outs of the California Consumer Privacy Act (CCPA) over the course of the last year. But there are still plenty of non-CCPA-related privacy issues on the horizon to keep risk management teams hustling throughout 2021.
For starters, companies looking to bring more privacy work in-house in their legal departments will likely have to contend with a shortage of available — or qualified — talent on the market. At the same time, there is a growing number of cases being brought forth under the EU’s ePrivacy Directive, which could have serious implications on approaching marketing activity.
But perhaps the most seismic of all could be the emergence of a fertile legislative environment for a new federal privacy law. Here are the five biggest privacy challenges that companies will face in 2021.
1. Federal privacy regulations
While the prospect of a national privacy law in the United States has often seemed vague and somewhat uncertain, recent shifts in the political landscape may get the ball rolling in that direction sooner than businesses anticipated. Tomu Johnson, of counsel at Parsons Behle & Latimer, believes that Democrats gaining control of the White House, the House of Representatives, and now the Senate could be a game-changer for privacy.
“In the U.S. I could see real momentum this year for a privacy law that gets passed by all three branches of the government and finally creating a good baseline floor for privacy in the U.S,” he said.
2. The EU’s ePrivacy directive
It’s possible that risk management teams and corporate legal departments could also find themselves tangling with the EU’s ePrivacy Directive more frequently in 2021. The law, which governs direct electronic marketing messages, cookies and other tracking technologies, may be of particular concern to businesses who frequently rely on aggregating and analyzing consumer data to guide their advertising strategies.
“There’s been an uptick in court cases in Europe dealing with the ePrivacy Directive and fining companies for failing to comply with the ePrivacy Directive… It really runs antithetical to the way American business runs marketing campaigns here in the U.S. are really globally,” Johnson at Parsons Behle said.
3. Cyber vulnerabilities
Businesses may also find themselves doubling back to address any residual data protection risks posed by the rapid transition to a remote working culture made during 2020. Mike Russell, senior manager and head of global legal operations at Expedia Group, expects that companies will have to pay attention to infrastructure problems such as keeping up with the latest software patches to mitigate breach vulnerabilities.
He stressed the importance of ongoing communication between the legal department and a company’s chief privacy or security officers. “I think that that role has to be leveled up even more if it hasn’t been already,” Russell said.
4. Vendor management
In addition to their own internal cybersecurity posture, corporations’ legal departments may also have to worry about vendors entrusted to handle sensitive matters or data. In 2016, for instance, 11.5 million documents were stolen from Panama offshore firm Mossack Fonseca that allegedly revealed evidence of tax evasion and money laundering on the part of wealthy clients.
“Law firms are protecting all of this information, and they are not secure themselves, if they have not engaged or gotten a competent privacy professional to consult in their organization, then they are very much at risk,” Russell at Expedia Group said.
5. Staffing shortages
One problem that corporate legal departments may share headed into 2021 is the relative dearth of qualified privacy professionals on the market. Rita Heimes, general counsel and chief privacy officer for the International Association of Privacy Professionals, noted that there simply aren’t too many associates with three to five years of experience in the field just yet. This could place a greater impetus — and burden — upon on-the-job-training.
“You have to become a teacher. You have to set aside time to find other people within your company who are open-minded, interested [or] willing to learn something new and recruit them onto your team. I think in a pinch, you always have to look in-house first and see who you can poach from another group,” Heimes said.
Related: