Data privacy is always on our minds and especially so on January 28, Data Privacy Day. Yes, it’s a real holiday, but given the constant threats our data-rich world faces, we see it as an occasion to reflect and look forward at how best to protect sensitive data.
We asked members of the Nixon Peabody Cybersecurity & Privacy team to share their data privacy outlook for 2022, including the most important trends impacting businesses and individuals, and regulations to watch.
Andrew Choung, Partner
Transparency matters. A business collecting data needs to disclose how information is used and provide customers with a clear process for opting in/out.
Jenny Holmes, Associate
With the GDPR and the CCPA changing the way individuals view privacy, companies should be prepared to address privacy rights for all individuals. Treating individuals’ privacy with respect is about more than just legal compliance; it’s about the reputation and goodwill of your business.
Jason Kravitz, Partner
My data privacy prediction for 2022? Pain. Lots of it.
Companies will continue to experience the pain of complying with ever-changing regulations, and many will experience the excruciating pain associated with a cyberattack. Individuals will suffer the pain of knowing that their sensitive data is constantly under siege by those who wish to misuse it.
Jason Kunze, Counsel
I have been closely monitoring web scraping disputes, such as for breach of website terms preventing data scraping, alleged violations of the Computer Fraud and Abuse Act (CFAA), and related claims. Particularly where a company has acquired significant “quasi-public” information from a large base of users, restricting scraping can be a huge advantage to first movers but also stifles competition.
Valerie Montague, Partner
It’s been almost a decade since the last substantive modifications to the HIPAA regulations, and updates are expected in 2022. Although the proposed regulations were issued by a different administration, the new rules are expected to expand the ability of healthcare providers to share information for care coordination and in emergency situations, such as opioid overdoses. Building on a HIPAA enforcement theme over the past few years, the new rules also are expected to address a patient’s right to access their health information.
Thomas O’Keefe, Counsel
Many companies operate under the misconception that, because they are not a “tech” company, or because their business is not heavily reliant on inflows of customer data or other personal information, they need not worry too much about the privacy implications of their business. But, privacy obligations apply to even those companies that rely less heavily on personal data to provide products and services.
To perform properly-scoped privacy analyses, a company should evaluate all of its data inflows and outflows, regardless of the industry in which it operates.
John Ruskusky, Partner
Biometric data is an area to watch in 2022. I’m closely monitoring efforts in other states to pass legislation relating to biometric data regulation similar to Illinois’ BIPA statute.
Tina Sciocchetti, Partner
We expect ongoing pressure on Congress to “raise the age” for online consent and enhance Verifiable Parental Consent (VPC) requirements under COPPA (the Children’s Online Privacy Protection Act) as social media use among children and teens – and associated data privacy risks – continues to grow. Recent data protection laws in California and the EU set the age of online adulthood at 16.
Andrew Share, Partner
As the metaverse continues to develop, the lines between the real and virtual worlds are blurring faster than ever before. This raises new and ever-expanding cybersecurity and data privacy issues – on top of the protection of personal rights that various jurisdictions worldwide are still struggling to get their arms around.
Sarah Swank, Counsel
With focused attention now on artificial intelligence, we have the potential to transform care delivery, clinical research and burdensome healthcare administration while eliminating bias. This will benefit and protect big data and support clinicians.
Richard Tilghman, Partner
I am monitoring how Illinois courts will address the healthcare-related exceptions under the Illinois Biometric Information Privacy Act (BIPA), as it affects healthcare and life sciences clients.
There are indications that Illinois courts may determine that damages under BIPA are discretionary, not mandatory, which could provide some relief to many companies that were caught in BIPA’s crosshairs.
Erica Van Loon, Partner
Many of my clients would like to start accepting cryptocurrency as payment for their goods and services. However, there are numerous challenges to accepting cryptocurrency while also complying with data privacy laws such as the California Consumer Protection Act (CCPA), which forbids companies from capturing personal data that cannot be deleted or amended. Cryptocurrency, by its nature, records blockchain activity, which often includes private consumer information.
Anders Van Marter, Senior eDiscovery & Data Governance Advisor
Data privacy is typically a component of the technology selection process for many clients. Scrutinizing the privacy scaling capabilities of technology with an eye towards the future is less common. Each time a company updates their systems or applications, there is a built-in opportunity to consider how this new technology will enhance or hinder compliance efforts in the future.
In my mind, functionality and data privacy are equally important when updating any system. The Privacy by Design concept is the bedrock of the GDPR and the inspiration for many state-level privacy laws. Clients can work with attorneys and technologists to better understand Privacy by Design and how using it in the technology selection process can prepare them to comply with future privacy obligations.