The willingness of consumers have to shrug and use an app or product without worrying about their policies has given organizations a lot of power over how they collect and use data. But consumers and governments alike are starting to view the way businesses use data now with more skepticism.
Whether driven by consumer expectations or government legislation, many organizations are having to rethink their data use. In 2022, the state of data privacy is evolving. And many of the changes we see have been a long time coming.
What is the Data Economy?
It’s long been true that anytime a product is free, the consumer (or more accurately, their data) is the product. Increasingly, that’s true of products consumers pay for as well. Even though you pay for items like smart tvs, smart thermostats, and fitness trackers, the companies behind them usually collect a lot of data about the way you use them.
And often, those companies aren’t keeping the data to themselves. One analysis found that the vast majority of the connected devices they studied—72 out of 81—provide data to parties other than the original manufacturer. In other words, pretty much any connected device you own is likely sharing or selling your data to third parties.
The Internet of Things (IoT) adds a lot of convenience and cool features to people’s lives. That’s why so many people choose to buy products and scroll right by the small print before they start using them. But IoT risks add a whole other dimension to cybersecurity and third-party risk management (TPRM) concerns.
Modern Data Privacy
The more devices and apps that can access your sensitive data, the more at risk it is. And the more those companies share your data with others, the messier the whole situation gets. The web of complicated relationships between companies all sharing consumer data with each other creates a lot of opportunities for data leaks. Predictably, hackers are happy to find and take advantage of those opportunities.
A number of notable examples reveal how vulnerable consumers are:
- GetHealth Data Breach – In September 2021, a Website Planet report found a database of 61 million records from various fitness trackers and wearables available on the web. Their analysis pointed to GetHealth, a company that offered a unified view of data from a long list of healthcare businesses for use in companies’ wellness programs. Much of the data came from Fitbit and Apple, showing how a third party with lax security procedures can make even the biggest players in a space vulnerable.
- Grindr Data Breach – In July 2021, Grindr made news when supposedly anonymous data from the app was somehow accessed by a Catholic news publication that used it to out a priest. The publication said they got the information from “data vendors.” The case is an example of how harmful it can be when someone’s data makes it into the complex and barely regulated data supply chain.
- Muslim Pro Data Sharing – In July 2020, a Motherboard investigation found that popular prayer app Muslim Pro was one of several apps selling location data to third parties, including the U.S. military—not something users knowingly consented to.
- Opioid Treatment Apps Data Sharing – In July 2021, TechCrunch shared the results of an investigation that discovered multiple opioid treatment recovery apps sharing sensitive user data with third parties. Even apps that deal in data they know consumers would want private are prone to participate in the data economy.
All of these examples paint a stark picture of companies not practicing proper precautions when it comes to their users’ data and being much freer with who they share that data with than consumers realize.
State of Data Privacy Laws
A natural response to reading about some of the most egregious data privacy examples is to wonder about the legality of it all. But it takes time for the law to catch up to the realities of fast-moving technology, and can take even longer for businesses to catch up to the law.
The most notable of the data privacy laws, Europe’s General Data Protection Regulation (GDPR) has been around since 2016. And yet “managing GDPR compliance continues to be complex for outsourcers and service providers to adopt new contract provisions and ensure that due diligence processes align to the strengthened obligations for third-party risk management,” explains Linnea Solen, partner/advisor to Shared Assessments.
The European Union (EU) and the United Kingdom (UK) have recently added to the requirements businesses must meet—in ways that require serious changes for many businesses. “Adopting the EU’s Standard Contractual Clauses (SCCs) or the UK’s International Data Transfer Agreements (IDTA) for new and existing data processor relationships is a much larger undertaking than simply updating contracts,” says Solen. “The changes put a spotlight on both data governance and enforcement of data protection safeguards that impact the governance model and policies in a TPRM program.”
But while Europe has made some progress in data privacy legislation, the United States is still far behind. The country lacks one clear federal law defining data protection. Instead, three states have passed state-level legislation and many others have introduced laws that may pass this year. California has the most comprehensive data privacy legislation with both the California Consumer Privacy Act and the Security of Connected Devices Act (SB-327) that touches on IoT specifically. Colorado and Virginia have followed suit, passing the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA).
Steps To Comply With Data Privacy Law
If staying on top of which customers in which states and countries have specific data rights and making sure you’re compliant with all of them sounds complicated, that’s because it is. The hodgepodge mix of data privacy laws organizations have to follow is confusing now, and set to get more so as additional states get in the game.
But while staying compliant can seem like a pain on the business side, for consumers these laws often feel like they’re not going far enough. There are still a lot of instances where companies and the third parties they work with can use or sell a consumer’s data without permission.
Following the law is required. But for most businesses that aren’t really enough to keep the data you have secure. Consider your processes for collecting data and sharing it with third parties you work with, and really look at the way you do things now with a critical eye. Are you crossing lines consumers wouldn’t be OK with? Are there vulnerabilities within the data collection and transfer processes you need to correct?
No organization wants to be at the center of a news story that illustrates the dangers of data privacy today, but too few are doing the work to make sure that doesn’t happen.