Celebrating Data Privacy Day 2021: A Year in Review

Today is “Data Privacy Day” (or “Data Protection Day” if you're based in Europe). Observed internationally every January 28, the day is an annual call-to-action to build awareness of privacy rights and the need to protect and safeguard personally identifiable information. 

This year’s event takes place against a backdrop of unprecedented challenge and change in the privacy landscape posed by the pandemic. In the words of Kelvin Coleman, Executive Director, National Cyber Security Alliance (NCSA) who sponsor the event: "The pandemic has ensured that people all over the globe are more connected now than ever before. Consumers are generating more personal data through the use of devices and the businesses that power that connectivity inevitably collect and store that same data."

This accelerated shift to online has challenged many businesses as they have been forced to rapidly accommodate increased data flows, changing business models, and the security and privacy challenges presented by remote working. And for consumers, forced to migrate much of their life and work to online, data privacy concerns are in the spotlight now more than ever before.

Organizations are also contending with a second major disruptor: The rising tide of privacy regulation has significantly altered the rules and risks of online engagement for many businesses. As we celebrate Data Privacy Day, it is important to reflect on how significantly the privacy landscape has altered over the last year, with privacy protections strengthening globally. 

Below we recap some of the key privacy events of 2020 and provide useful resources to help you navigate the implications, obligations, and opportunities for your business.

CCPA, CPRA and the fast-changing US privacy landscape

In the US, 1 January 2020 saw the US privacy frontier pushed forward as the California Consumer Privacy Act (CCPA) came into effect. This landmark law secured new privacy rights for California consumers impacting any businesses that have California customers or operations. As the law applies to California residents, even if they may be in another state at the time they visit a website, it has effectively become a national law.  

On 3 November 2020, the California Privacy Rights Act (CPRA) was approved. The CPRA, also known as CCPA 2.0, makes significant amendments to the CCPA, strengthening and expanding business regulations on the use of personal information, and establishing a new Californian data protection authority. The law is scheduled to become operative on January 1, 2023 and is set to have a seismic impact on the entire online advertising ecosystem.

The CCPA was the front-runner in US data protection regulations and momentum is building with many other states fast-tracking comparable regulations.

For more about preparing for the CPRA and the domestic and international variations that will follow:

5 Steps to a CPRA-Ready Tag Management Strategy 

Following the passing of the CCPA advertisers and businesses have been forced to clarify data-sharing relationships and implement mechanisms for compliance. One significant example: In July 2020 Facebook introduced a Limited Data Use (LDU) feature to enable businesses to take more control over how their data is used within the platform and to address their CCPA compliance obligations. 

Read our quick guide to Facebooks LDU and your options for CCPA compliance:

Understanding CCPA Compliance with Facebook: Limited Data Use 

 Schrems II invalidates EU- US Privacy Shield

One of the most far-reaching and hotly debated developments was the Court of Justice of the European Union’s (CJEU) decision in the Schrems II case, which invalidated the EU-US data transfer mechanism called ‘Privacy Shield.’ On July 16, 2020, the ruling became law with immediate effect, forcing US and international companies to explore other legal data transfer options from the EU, and moving the privacy debate into the realm of geopolitics and trade wars.

For more on Crownpeak’s legal perspective on Schrems II and the implications, risks, and opportunities for global companies:

• OnDemand Webinar: How Schrems II is Raising the Privacy Risk Stakes
• Legal perspective on Schrems II for the Cloud Software Association
• Life after Schrems II: The SaaS advantage for managing regulatory change 

Brazil’s new federal data protection law enacted

The task of complying with an expanding raft of sectorial privacy regulations is becoming increasingly daunting for global enterprises. To harmonize across territories, governing entities are moving to create omnibus privacy legislations, such as Brazil’s Lei Geral de Proteção de Dados (LGPD) — which went into effect on August 16, 2020, with enforcement starting on August 1, 2021.

The law applies extraterritorially, so for companies that do business in South American and Latin American markets, the enactment of this legislation will have a major impact.   While the LGPD has broad similarities with Europe’s GDPR there are crucial differences that organizations need to be aware of. 

For an overview of the key similarities and differences:

LGPD vs. GDPR - How to Keep Pace with Global Regulation 

CNIL releases updated cookie guidance under GDPR

On October 1, 2020, the French data protection authority, CNIL released updated guidelines mandating the experiences end-users should encounter when interacting with cookie consent notices. The ruling falls withing the mandates of the GDPR, and organizations must adopt the requirements by March 31, 2021.

To learn about achieving CNIL-compliant cookie consent:

Updated GDPR Banner Guidelines (France & UK) 

Why privacy is key in the new data economy

The pace of change in the privacy landscape presents organizations with much to contend with but, indeed, much to celebrate as it presents a powerful opportunity for enterprises to redefine the customer relationship and reshape their market space.

The NCSA has announced two key themes for this year’s Data Privacy Day event which puts privacy firmly at the centre of every digital interaction: Individuals are encouraged to “Own Your Privacy” and Businesses are urged to “Respect Privacy” and keep consumers’ personal information safe. 

In our data-driven economy, today’s privacy-savvy consumers are increasingly directing their business to the companies they trust to secure and respect their personal information. The winners will be those companies able to deliver secure, transparent privacy experiences, which put their customers in control of their own data.

To learn more about how Crownpeak can help you create high-converting privacy experiences and gain visibility and control over your data and digital supply chains, speak to an expert today.