COMMENTARY. Five years since the European Union's General Data Protection Regulation took effect, its fingerprints are everywhere: from proliferating privacy laws worldwide to the now-ubiquitous consent banners seen across websites of every kind. For multinational businesses, the GDPR isn't the only compliance hurdle on the horizon. Take, for example, the forthcoming enforcement of new privacy regulations like the California Privacy Rights Act. The Consent-Compliance Gap: How Businesses Are Falling Short Data privacy awareness has increased among businesses since 2018, but many still struggle with compliance. Many companies assume that simply using consent banners or consent management platforms ensures compliance. All too often, these tools only provide an illusion of compliance, lacking crucial technical capabilities such as consent and preference enforcement. The rapidly evolving patchwork of global and local privacy laws can also create confusing contradictions. Different jurisdictions have different requirements for obtaining and documenting consent. The GDPR requires explicit consent, while other laws, such as the upcoming CPRA, accept implied consent in certain instances. In this situation, businesses invest in and set up a consent tool, thinking they've fulfilled their compliance duties, yet they remain noncompliant in the eyes of the law. It's About to Get More Complicated In the five years since GDPR arrived, it's served as a model for data protection laws worldwide, inspiring legislation such as the California Consumer Privacy Act, Brazil's General Data Protection Law, and China's Personal Information Protection Law. Today, more than 130 nations have enacted privacy legislation, and in the United States, 12 states have enacted privacy laws, with six more in various stages of legislation. State-level privacy laws also passed in Delaware Indiana, Iowa, Montana, Oregon, and Texas. These laws, while similar in many ways, have distinct requirements that make managing consent across jurisdictions even more complicated. Let's not forget, it's not just about these two laws. With over 130 countries having their own privacy laws, businesses could face a whirlwind of different, sometimes conflicting, rules to follow. On the technical side, businesses need smart consent management technology that can adapt to different regulations. Privacy laws are evolving creatures, with changes and new regulations popping up regularly. Businesses must keep their fingers on the pulse of these changes and adapt their consent management practices accordingly. In essence, navigating the maze of global privacy laws isn't just about knowing the rules. It's about having the right tools to applying these rules and the commitment to staying updated on the ever-changing landscape of data privacy laws. Compliance Is a Constant Effort in an Evolving Global Privacy Landscape For the first few years of the GDPR, enforcement actions were few and far between as regulators established precedents in the courts and codified the rules of the regulation. This led many businesses to take a "Wait and see" approach to consent and cookie compliance or to do the bare minimum necessary to appear compliant. As of June 2023, the EU regulators have handed out billions in fines, which relate directly to consent management. One of the largest GDPR fines to date, a €746 million judgment against Amazon in July 2021, was brought down because the tech company had been using an implied consent model on its EU properties. Consumer awareness and expectations around data privacy are on the rise. Some 62% of European consumers consider privacy a concern, according to an IAPP survey. Privacy is no longer a mere compliance issue; it's a cornerstone of brand reputation and customer trust. Businesses demonstrating a commitment to privacy can leverage it as a competitive advantage, attracting privacy-conscious consumers and fostering stronger customer relationships. To gain that trust, privacy and consent management cannot be a "Set it and forget it" initiative; businesses must make a constant, conscious effort to meet evolving requirements and new technologies such as global privacy signals.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:01 +0000