Privacy by design—opportunity or roadblock?

There has been a steady increase in privacy regulations throughout the U.S. in recent years—a trend that does not show any sign of slowing down. These new regulations can pose headaches for companies, particularly because compliance differs from state to state. As the U.S. continues to play catch up with Europe in terms of privacy regulation, it is worth looking at the direction Europe has taken—particularly, Europe’s embrace of “privacy by design” in its landmark General Data Protection Regulation (GDPR). Is the U.S. finally ready to embrace a right to privacy of personal data? And will U.S. businesses make “privacy by design” a business priority?

Former Canadian Information and Privacy Commissioner Ann Cavoukian first introduced the seven foundational principles behind the concept of “privacy by design” (PbD) in 2009. PbD is an approach to protect privacy by embedding data protection into technology-related processes and procedures and system infrastructure from the beginning. PbD promotes implementing data protection from the outset of the development of new products, services, or technologies and throughout the entire lifecycle of the processing of any personal data cycle.

Notably, the GDPR expressly incorporated PbD. For example, under Article 25, the GDPR provides that companies must implement technical and organizational measures that are “designed to implement data-protection principles” and to implement “necessary safeguards into the processing.” Moreover, the GDPR incorporates the notion of PbD vis-à-vis directives around data pseudonymization and data minimization. To leverage such concepts, these privacy functions must be built into the initial design of the technology. The GDPR also goes beyond the design of technology and emphasizes the need to create policies and products that reflect data-protection principles.

While the U.S. has not enacted a sweeping, comprehensive regulation like the GDPR, there has been a significant shift in how Americans view the right to privacy. A recent Pew Research poll found that 81% of the public believes the risks of data collection by companies outweigh the benefits, with 75% of Americans saying there should be new regulations on what companies can do with personal data. And while states have been slow to act, there is a new effort to pass more comprehensive privacy regulations—with many thinking that overarching federal legislation may follow.

California continues to lead the way in terms of privacy regulation—especially with its recently–passed California Privacy Rights Act (CPRA), which expands the privacy rights within the existing California Consumer Privacy Act (CCPA). While neither the CCPA nor the CPRA, which does not go into effect until January 1, 2023, explicitly require privacy by design, like in the GDPR, they do indicate that perhaps the U.S. is heading in that direction, and businesses should take note. For example, the CCPA provides that a manufacturer of a device that connects to the internet must add a security feature designed to promote against unauthorized access, destruction, and use of the data. And the CPRA embraces a number of the GDPR’s fundamental principles—such as data minimization, data retention, and recognizing categories as sensitive personal information. Therefore, applications that limit data collection, track data through its entire lifecycle, and remove data regularly will streamline compliance with the CPRA. The CPRA raises the bar for data security and will require businesses and developers to focus on privacy from the inception through implementation of new systems and applications. The notion of PbD is weaved throughout the CPRA—indicating a significant shift in U.S. privacy regulation.

There is a real reckoning emerging in the U.S. regarding the right to privacy over personal data. The proliferation of data and recent high-profile data breaches have only underscored the public’s concern over how companies manage and use personal data. Will businesses shift their view on privacy and begin to embrace PbD and find ways to make it a business advantage as opposed to a roadblock? U.S. companies could be a leader in finding ways to find the balance between the benefits of technology and safeguarding personal data.