Understanding the impact of 2022 data privacy regulations

Over the past five years, governments have taken a firmer stand around protecting consumer privacy. Various laws went into effect that set limitations around the collection of the information of private citizens and directions on informing individuals about what was collected. In addition, they established control over the way public and private entities shared that data. Below is an overview of changes to regulations and their impacts in 2022.

1. CCPA

The California consumer privacy act (CCPA) is state legislation that became law in 2018 and went into effect starting January 1, 2020. It started the trend of states trying to establish privacy laws to establish security laws and data privacy protections. The legislation defines consumer rights in California and outlines penalties assessed if any entity operating in the state violates the conditions.

Many personal and business-to-business carveouts extended after the 2021 implementation expired on January 1, 2022. So until the state decides to extend those provisions, many more entities will be subject to the regulations outlined in the law.

2. GDPR

It’s been four years since the European Union (EU) enacted the General Data Protection Regulation (GDPR) law that still stands as one of the strictest privacy laws around the globe. The goal was to provide a counterbalance to rapidly growing tech companies with access to countless amounts of data on private citizens.

The GDPR restricted how these entities could use and profit from the information. The most significant change forced companies like Google to get explicit consent from consumers versus implied consent by using their platform. Look for increased efforts from regulators around enforcing various law provisions and removing ambiguity in sections of the language.

Member EU states will likely make changes that reflect local needs, like defining the parameters of a child’s age and requirements for parental consent. Companies like Amazon have already been fined for violating consumers’ consent by not offering consumers a choice on opting out of providing information.

There’s also a new draft of AI regulations in the EU coming down the pipeline. The goal of the law is to set up technology-neutral definitions of an AI system. In addition, the regulation lays out rules tailored around the risks of using the technology.

3. CAN-SPAM

The U.S. Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) to address the issue of individuals continuously receiving unwanted electronic messages. At the time, the focus was on communications received via email. However, as marketing strategies have evolved, the CAN-SPAM act has increased significance.

A court decision in 2011 made it clear that the CAN-SPAM act also applied to messages sent via social media platforms like Facebook. As of 2022, there are no recent changes to the CAN-SPAM law that might apply to other forms of communication sent by marketers.

The potential laws of tomorrow: Legal proposals in play for 2022

Two new proposals from the European Commission look to upgrade the current rules around EU digital services. The Digital Services Act and the Digital Markets Act look to create a safer space for users while they are online. In addition, the legislation aims to create a more even playing field for smaller companies who feel shut out by larger corporate entities. 2022 might also bring about the implementation of the long-awaited e-Privacy Regulation.

Digital Services Act

The Digital Services Act covers companies that provide intermediaries like internet providers, online platforms like Facebook, and hosting services. Depending on the company’s size, its obligations could extend to forcing the business entity to monitor third-party vendors, perform external risk auditing, and establish codes of conduct for users.

Digital Markets Act

To level out the advantages currently held by companies like Apple and Microsoft, the Digital Markets Act would set rules for major online platforms that prevent them from allowing unfair business and consumer conditions. That means Amazon would no longer be able to push its products to the forefront at the expense of other sellers.

ePrivacy Regulation

Initially intended for enforcement alongside the GDPR in 2018, the ePrivacy Regulation establishes privacy rules for electronic communications entities and services like WhatsApp, Skype, and Messenger. The goal is to close gaps in the GDPR that left out these kinds of companies.

Another important change the e-Privacy regulation covers is creating more straightforward cookie rules. Users would have control over whether they consent to cookie tracking within internet browsers. In addition, it clarifies that website owners would not need permission to use non-privacy intrusive cookies like shopping carts. Finally, end-users would have the ability to withdraw consent previously granted at least once per year.

Privacy protection with Lytics

The Lytics CDP platform complies with established regulations within the U.S. and Europe. Organizations looking to adopt a CDP platform should inform themselves about privacy guidelines and how they might affect their business. If you have more questions about Lytics and data protection, you can reach out to us here.