After the implementation of the EU’s General Data Protection Regulation (GDPR). the California Consumer Privacy Act (CCPA) and then the California Privacy Rights Act (CPRA), several other U.S. states and countries have taken steps to enact similar data privacy legislation.
Clay McNaught, COO at Gryphon.ai, shares his insights on how the GDPR, CCPA, and CPRA laid the groundwork for legislation on the horizon and key requirements of these regulations that impact how ISVs do business.
Which governments have passed or introduced new data privacy legislation?
McNaught: Various U.S. states like Virginia and Colorado have introduced laws similar to the CCPA. Furthermore, countries including the UK, Brazil, Canada, India, and Australia are also adopting or updating data protection regulations in addition to countries such as South Korea, Japan, and Singapore, considering similar measures due to rising privacy concerns and data breaches.
These are just a few examples, and many other countries and regions around the world are actively considering or implementing data privacy regulations. As individuals become more concerned about how their personal data is being used, and as data breaches and privacy violations continue to make headlines, the trend toward stronger data protection laws is likely to continue.
This also extends to regulations around other types of data sharing, including telemarketing, SMS text messaging, debt collection, and more. We’ve seen states and local jurisdictions introduce tighter telemarketing laws under the TCPA, imposing call frequency restrictions, calling time limitations, registration requirements, and consent disclosure obligations. Some of these regulations also require organizations to update opt-outs within a 24-hour window, making data virtually obsolete the moment it is scrubbed for use. This is crucial for companies and their data or software engineering teams when it comes to data collection and data strategy.
Are new or proposed laws and regulations similar to those in place?
McNaught: The GDPR, CCPA, and CPRA set a precedent for other states, countries, and regions to follow in creating stronger data privacy laws. Most of the similarities can be attributed to the core principles of transparency, consumer control, and accountability. Similar to the CCPA, by emphasizing the importance of not only sharing awareness of data usage but granting consumers the right to choose when and how their data is being used, these new pieces of legislation continue to give greater autonomy over individuals’ own data.
While many of these newer regulations stem from common themes and goals, the most noticeable differences revolve around the extent and measures of consent granted to consumers. This can be seen in some regions’ emphasis on giving consumers the right to opt in or out of specific types of data usage on a more granular level or prioritization of mandating businesses to disclose the purpose of data collection without going all the way to requiring consumers to explicitly give consent.
What are the most important things for solutions providers to remember about compliance?
McNaught: Solutions providers must prioritize following compliance practices because it’s non-negotiable in this rapidly evolving regulatory landscape. A good thing is that remaining compliant is not difficult as long as organizations establish adequate data governance practices and implement the right technologies.
Consider the following steps when becoming a compliant-first organization:
- Understand the nuances of marketing reach versus simplification: Solutions providers must be careful not to compromise the ability of marketing and sales organizations to contact customers in the interest of compliance simplification. While simplifying compliance rules within IT systems can reduce support costs, it can come at the price of reduced selling opportunities. Instead, solutions providers can consider consolidating exemption and consent processes into a centralized repository and optimizing the surrounding processes versus rule simplification (e.g., applying the strictest rule for one state across all).
- Leverage data and analytics: Solutions providers who have access to data-driven insights can reap the benefits of more accurate and timely information to drive compliance decision-making. For example, call center agents in the healthcare sector may have more stringent regulatory requirements in tandem with data privacy laws. The ability to review real-time compliance insights during calls helps agents make well-informed decisions to avoid violating customer privacy. The right technology can help solution providers identify compliance issues and quickly mitigate the problems.
- Address compliance concerns: When compliance issues arise, IT teams need to take immediate action. The sooner the problem is identified and solved, the easier it is for organizations to increase customer trust and satisfaction. Compliance issues that go unaddressed will result in increased regulatory scrutiny, leading to possible financial and reputational damages.
- Monitor regulatory landscape: The regulatory environment is quickly evolving, so it’s easy to lose track of the most up-to-date laws and regulations. It is critical for organizations to establish a compliance strategy that involves ongoing tracking of data privacy rules and updates. This enables organizations to keep pace with existing and impending regulations.
Will solutions providers and developers need to make substantial changes to their solutions? How will regulations impact them?
McNaught: For the most part, solutions providers and developers will not need to make substantial changes unless the regulations directly impact how organizations collect and use data. Right now, most regulations target how organizations relay information about data collection, such as informing consumers that data is being collected and how it is being used. The next iteration of these laws focuses on giving users the ability to opt out of data collection altogether. This means organizations must have the technology capabilities in place to avoid collecting user data who do not give explicit consent. If not, they risk violating consumer privacy laws.
More forward-thinking organizations will also consider establishing compliance practices to ensure alignment with updated mandates and rules. As more regulations continue to develop, organizations should avoid falling behind and leaving gaps in their data governance policies. For example, contact compliance regulations are constantly evolving. As the underlying technology infrastructure and business processes change to meet these regulations, so too should your compliance operating manual. In addition to providing resources on day-to-day contact compliance procedures, the compliance operating manual is a critical resource for internal and external auditors. Creating comprehensive mandates can help organizations stay on top of the rapidly changing regulatory landscape.
Developers can help with this process by undergoing routine audits and reviews to examine whether data privacy practices are being followed. Also, staying up to date with the latest regulations can help solutions providers take a proactive approach to compliance so they’re not playing catch up later or, worse, paying an expensive fine for violating data privacy.
What are the additional changes on the horizon for data privacy laws?
McNaught: Data privacy will remain a top-of-mind priority for the remainder of 2023 and beyond. With the rise of generative AI, lawmakers have become increasingly interested in how data is collected and stored to train these systems. Furthermore, several recent lawsuits have challenged how technology companies like OpenAI and Meta gather and use data to train their large language models (LLMs). Public discourse also fuels growing debates on how technology companies use consumer data, amplifying pressure on politicians to address these concerns.
Another important factor for the present and future of data privacy laws is data accuracy. As businesses are working to become more data-driven, the accuracy of data must become a top priority. The number one challenge of AI and ML initiatives today is the accuracy of data. The good news is businesses and consumers are aligned in this interest. One of the many provisions in CPRA (effective earlier this year) is a consumer’s right to correct personal information stored by a business. Data accuracy, in conjunction with data privacy, is becoming increasingly important in the regulatory environment.
Looking ahead, data privacy will most likely evolve to give people more control over what systems have access to their data (e.g., whether data can be used to train AI models) and possible recourse when data is used without their consent. The possible recourse for data privacy violations is still being considered as some experts propose that people can seek payment from technology companies to train their AI systems using copyrighted materials. But this development is ongoing and will be a major consideration in the future. Nevertheless, data privacy legislation will evolve as emerging technologies continue to develop.