Bettina Lindner Lippisch, our VP of Privacy and Data Governance, spoke at our OX7 conference about the recent developments and the future outlook of data privacy for businesses.
What responsibilities have companies in response to new state-level privacy laws? What should you know about the proposed federal privacy law, which gained bipartisan support in Congress this spring? And how can your company safeguard against the privacy risks of AI?
Bettina answered all of that and more in her session. You can find the video here or read on for the highlights:
The year in data privacy
Expansion of U.S. State privacy laws
Over the past 12 months, ten more states passed their own data privacy bills, and several more took similar legislation to chamber.
Most include consumer rights for:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing
- Right to portability
- Right to opt out of sales
- Right to opt in for sensitive data processing
For businesses and data controllers, that means more obligations related to the data they collect, store and process:
- Transparency: “I think every state now has obligations that require a business to disclose what you’re going to do with the data you collect,” Lindner Lippisch says.
- Data security: All states generally require businesses/controllers to maintain reasonable data security.
- Risk assessment: Most states also require controllers to conduct data protection assessments for certain types of processing activities. “It’s no longer required just to tell people what you want to do [with their data], but also prevent it from being used in a manner that is not intended or by somebody who shouldn’t have access to it,” Lindner Lippisch says.
- Data processing agreements: All states generally require data processing agreements between controllers and processors. Review your agreements with your third parties and create DPAs if they don’t exist already to govern the data transfers and use.
The proposed American Rights Privacy Act (APRA)
18 US states now have a state-level privacy law, and another 8 are in chamber or cross-committee.
But the absence of a national law means that when it comes to compliance tasks, like processing opt-outs, companies basically have to treat the 50 US states like 50 individual approaches. That’s a lot to manage.
However, that could change soon, as a federal privacy law — The American Privacy Rights Act — is also gaining bipartisan support in Congress.
Who will be covered under the ARPA? The law will cover most entities and their service providers, except for small businesses that have less than $40 million in annual revenue, less than 200,000 customer records, AND don’t earn revenue from transferring covered data to third parties.
What will the ARPA cover? How will it differ from the state laws? Modeled after the CCPA, the federal law provides the same consumer rights as its state counterparts — right to access, right to erase, etc. But there are some differences worth keeping in mind as you design your data privacy policy this year and beyond. That includes:
- Interference with consumer rights. The ARPA will also penalize companies for using dark patterns to disincentivize or prevent people from deleting their data. “For instance, you can’t say, ‘You can only delete your data if you have the highest-paying subscription,’” Lindner Lippisch says. “Don’t create rules or do things that infringe on security based on subscription level or something that’s a right under federal law.”
- Data security: Under the law, companies will be responsible for preventing security breaches and keeping personally sensitive information safe.
- Data minimization: Minimizing personal data a company holds needs to be appropriate and proportionate to its purpose, and user should be based on what an individual requested or expects.
- Executive responsibility: Covered companies will also be required to have dedicated compliance and security officers.
- Private Right of Action. If included in the final bill, this would give individuals the right to bring legal action against a company for using their personal data improperly. “This increases the risk because now it’s not a federal regulator or a state regulator,” Lindner-Lippisch says. “It’s a private person who can say,’ You did something with my data that I didn’t allow you to do.’”
Find the full recording of Bettina’s session here.
Data privacy priorities and best practices for 2024
Artificial Intelligence (AI)
AI is everywhere, and companies should consider implementing an AI Governance approach to start minimizing privacy risk. Here are some best practice to get you started:
Create a company-wide AI data privacy policy. Right now, there’s no law specifically governing the use of data for AI. But that’s likely to come soon, Lindner Lippisch says. Beyond that, providing customer data to external AI tools, like Chat-GPT, opens you up to the same third-party risks you might experience with sending data to another third-party app.
Companies need to understand how their employees are using AI. And from there, they need to develop organization-wide policies for the use of customer data in LLMs and other artificial intelligence services.
“Do you know what you’re sending to the model?” Lindner Lippisch says. “Do you know who you’re sending it to? What are your policies internally for your employees to use customer data and feed it into Chat-GPT and say,’ Show me the trends or give me an analysis for this.’ Do you know what happens to that data?”
Some other privacy concerns to consider as you develop your AI policies and governance with privacy in mind:
- Decide what kind of information can and cannot be fed into external Large Language Models (LLMs), and teach your employees about it.
- Understand and document how your AI services use your customer data — and how you can keep track of violations or accidentally misuse.
- Consider how you’ll honor opt-out or data subject requests (DSRs) for someone whose information you’ve feed into Chat-GPT or even an internal AI model. Can you get it back and delete it as required?
- In your privacy policies, disclose whether you’re using artificial intelligence and whether you’re providing customer data to train LLMs.
Privacy-minded Data Governance & Security
Risk comes from more sources than just AI. Anytime you hold someone else’s data, you are exposed. Consider the following to ensure your data privacy risk stays low:
- Don’t sit on your data. More and more privacy laws have retention rules based on purpose and consent. Regulation aside, the more data you have, the more vulnerable you are to breaches. Mitigate that risk by documenting the data you retain, by regularly purging old data and by reviewing your retention policies as laws evolve.
- Prioritize privacy by design. “When you develop new products, don’t just develop it and then say, ‘Oh, we might also have to put a consent box in here, or we have to create a new deployment type, or we have to create a new opt-in for it,’” Lindner Lippisch says. “Make privacy part of the process and also set a retention policy while you’re doing this.”
- Regularly clean your data. Nobody wants to lose subscribers or prospects. But keeping outdated or inactive records in your database doesn’t just create privacy issues. It also makes you more vulnerable to spam complaints and deliverability issues. You will also spend resources and money to contact people who aren’t likely to respond. Focus your efforts on recent and active records with a recent history of interaction.
“People want to do business with companies they can trust. I think everybody might be getting emails from a company they signed up for 15 years ago. But A) It costs the company money and B) It’s probably nothing you want to buy if you haven’t interacted with them.” Lindner Lippisch concluded.
